Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • States support DOE’s overhaul of IDR plans

    State Issues

    On February 13, a coalition of state attorneys general led by California and Massachusetts submitted a letter in support of the Department of Education’s (DOE) proposed changes to income-driven repayment plans (IDR) for federal student loan borrowers. As previously covered by InfoBytes, last month the DOE announced a notice of proposed rulemaking (NPRM) designed to reduce the cost of federal student loan payments. According to the NPRM, the DOE is proposing to amend the regulations governing income-contingent repayment plans by amending the Revised Pay as You Earn (REPAYE) repayment plan, and is looking to restructure and rename the repayment plan regulations under the William D. Ford Federal Direct Loan Program, including combining the Income-Contingent Repayment and the Income-Based Repayment (IBR) plans under the umbrella term of IDR plans. The NPRM would ensure that a borrower’s balance would not grow due to accumulation of unpaid interest if the borrower otherwise makes the monthly payments, and would also establish that for individuals who borrow $12,000 or less, loan forgiveness can occur after making the equivalent of 10 years of payments. That period increases by one year for each additional $1,000 that is borrowed. 

    In their letter, the states expressed support for the DOE’s NPRM, but urged the department to take further steps to support struggling borrowers. The states urged the DOE to expand the scope and reach of the proposed reforms by, among other things, creating a simple path for borrowers in default to enroll in IBR or REPAYE, counting all past forbearance and repayment periods and certain deferment periods towards borrowers’ loan forgiveness, making Parent PLUS loans eligible for REPAYE, and expanding the reach of its reforms to “provide more retroactive relief” to borrowers impacted by widespread servicing errors that prevented them from enrolling in IDR. According to the letter, the DOE should also raise the discretionary income threshold to make debt more manageable for borrowers with the greatest need, eliminate the reverse amortization of IDR loan balances, shorten the period in which borrowers must make payments to receive forgiveness under REPAYE, provide viable repayment options, and automatically enroll delinquent borrowers in IDR plans before they face negative credit reporting and default, among other measures.

    State Issues State Attorney General Department of Education Income-Driven Repayment Student Lending Student Loan Servicer Consumer Finance

  • California’s privacy agency finalizes CPRA regulations

    Privacy, Cyber Risk & Data Security

    On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).

    According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:

    • Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
    • Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
    • Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
    • Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
    • Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
    • Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
    • Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
    • Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
    • Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt.  The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.

    The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.

    Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.

    Privacy, Cyber Risk & Data Security State Issues California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection

  • NYDFS implements state CRA revisions

    State Issues

    On February 8, NYDFS announced the adoption of updates to the state’s Community Reinvestment Act (CRA) regulation. The final regulation implements amendments to Banking Law § 28-b, and allows the Department to obtain necessary data to evaluate how well regulated banking institutions are serving minority- and women-owned businesses in their communities. These findings will be integrated into institutions’ CRA ratings, NYDFS said. As previously covered by InfoBytes, NYDFS issued proposed revisions last October, announcing that the modifications are intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. The final regulation details how regulated institutions must collect and submit the necessary data to NYDFS while abiding by fair lending laws. Regulated institutions must inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date of application, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. The final regulation also includes a form for regulated institutions to use to obtain the required data from business loan applications. NYDFS said it will publish a data submission template in the coming months for regulated institutions to use during CRA evaluations. The final regulation takes effect August 8, and provides for a compliance date six months following the publication of the Notice of Adoption in the State Register. Regulated institutions will also have an additional transition period of three months from the compliance date to comply with certain provisions.

    State Issues State Regulators NYDFS Bank Regulatory New York CRA Agency Rule-Making & Guidance Fair Lending

  • New York FY 2024 budget proposes to end unfair overdraft practices

    State Issues

    On February 1, the New York governor released the state’s FY 2024 budget proposal, which includes measures for ending certain bank overdraft and insufficient fee practices. Specifically, the proposed legislation would amend section 9-y of the banking law to grant authority to the NYDFS superintendent to promulgate regulations related to (i) supervised banking organizations’ transaction processing practices; (ii) the charges (including overdraft and insufficient funds fees) that banks may impose in connection with dishonored transactions; and (iii) associated disclosures provided to consumers regarding how transactions are processed and any associated fees. In an accompanying budget briefing book, the governor said the proposed measures are part of “nation-leading legislation that comprehensively addresses abusive bank fee practices, which tend to disproportionally harm low- and moderate-income New Yorkers.” Proposed actions include “stopping the opportunistic sequencing of transactions in a way designed to maximize fees charged to consumers, ending other unfair overdraft and non-sufficient funds fee practices, and ensuring clear disclosures and alerts of any permissible bank processing charges.”

    State Issues New York Overdraft NSF Fees Consumer Finance State Legislation NYDFS Bank Regulatory

  • NYDFS finalizes commercial financing disclosures

    State Issues

    On February 1, NYDFS adopted a final regulation (23 NYCRR 600) outlining disclosure requirements for commercial financing transactions in the state. Under the state’s Commercial Finance Disclosure Law (CFDL)—which was enacted at the end of December 2020—providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less.

    The final regulation took into consideration comments received on revised proposed regulations published in 2021 and 2022 (covered by InfoBytes here and here), and provides specific instructions for providers on how to comply with the CFDL. Among other things, the final regulation:

    • Outlines detailed definitions for terms used within the CFDL and in the regulation;
    • Clarifies the definition of “finance charge” with respect to commercial financing transactions, and explains how the finance charge and annual percentage rate should be calculated; 
    • Describes allowed tolerances and specifies occurrences where providers or financers will not assume liability for disclosure errors or inadvertent disclosures;
    • Lays out formatting and content requirements for disclosures required by the CFDL for the following types of financing: (i) sales-based financing; (ii) closed-end financing; (iii) open-end financing; (iv) factoring transaction financing; (v) lease financing; (vi) general asset-based financing; and (vii) all other commercial financing transactions that do not fall within the aforementioned categories; 
    • Clarifies specific itemization disclosure requirements for when the amount financed is greater than the recipient funds;
    • Outlines signature requirements;
    • Describes how the CFDL’s disclosure threshold of $2,500,000 is calculated; 
    • Explains how providers should calculate required disclosures for commercial financing transactions with multiple payment options/balances payable on demand;
    • Details certain duties of financers and brokers involved in commercial financing; 
    • Prescribes a process under which certain providers that use the opt-in method of calculating an estimated annual percentage rates will report data to the superintendent; and
    • Specifies provisions related to the assignment of commercial financing agreements.

    23 NYCRR 600 will take effect upon publication of the Notice of Adoption in the State Register. The compliance date is six months after the Notice of Adoption is published.

    State Issues NYDFS State Regulators Commercial Finance Disclosures Bank Regulatory 23 NYCRR 600

  • District Court preliminarily approves $2.75 million autodialer TCPA settlement

    Courts

    On January 31, the U.S. District Court for the District of Maryland preliminarily approved a class action settlement in which a cloud computing technology company agreed to pay $2.75 million to resolve alleged violations of the TCPA and the Maryland Telephone Consumer Protection Act. According to the plaintiff, the defendant violated the TCPA by, among other things, placing unsolicited telemarketing calls using an automated dialing system to class members on residential and cell phone numbers. Under the terms of the proposed settlement agreement, the defendant must establish a non-reversionary fund of $2.75 million to go to class members to whom the defendant (or a third party acting on its behalf) made (i) one or more phone calls to their cell phones; (ii) two or more calls while their numbers were on the National Do Not Call Registry; or (iii) one or more calls after the recipients asked the defendant or the third party to stop calling. “Plaintiff has also shown that a class action litigation is superior to other available methods for adjudicating this controversy,” the court wrote. “Plaintiff's counsel estimate that the average settlement payment to each Class Member would be approximately $30.00 to $60.00. Given this, the individual claims of each Class Member would be too small to justify individual lawsuits.” The court also approved proposed attorneys’ fees (not to exceed a third of the total settlement fund), as well as up to $60,000 for plaintiff’s out-of-pocket expenses and a $10,000 service fee award.

    Courts TCPA Autodialer Class Action State Issues Maryland Do Not Call Registry

  • DFPI takes action against five debt collectors

    State Issues

    On January 30, the California Department of Financial Protection and Innovation (DFPI) announced enforcement actions against five separate debt collectors for unlicensed activity under the Debt Collection Licensing Act (DCLA) and unlawful and deceptive acts or practices in violation of the California Consumer Financial Protection Law (CCFPL). According to DFPI, the desist and refrain orders allege that the subjects engaged in a variety of different unlawful and deceptive practices, including, among other things: (i) engaging in debt collection in California without a license from the DFPI; (ii) attempting to collect a debt that a consumer did not owe; (iii) making unlawful threats to sue on debts; (iv) making false claims of pending lawsuits; and (v) failing to notify consumers of their right to request validation of debts. According to DFPI Commissioner Clothilde Hewlett, the agency has observed “an increase in fake debt collector scams in recent months,” and is “committed to rigorous, ongoing enforcement efforts to protect Californians from these deceitful practices.” The combined actions resulted in penalties totaling $120,000 and ordered the debt collectors to desist and refrain from violating the DCLA and CCFPL.

    State Issues Licensing DFPI California Debt Collection CCFPL Consumer Finance

  • DFPI announces $22.5 million multistate settlement with crypto platform

    State Issues

    On January 26, the California Department of Financial Protection and Innovation (DFPI) announced that it entered into a $22.5 million settlement agreement with a Cayman Islands digital asset firm to resolve a securities enforcement action regarding its interest-bearing virtual currency account. As previously covered by InfoBytes, in September 2022, the New York attorney general sued the firm for allegedly offering unregistered securities and defrauding investors. A North American Securities Administrators Association working group—composed of the DFPI and state regulators from Washington, Kentucky, New York, Oklahoma, Indiana, Maryland, South Carolina, Vermont, and Wisconsin—collaborated in the investigation into the firm. The states alleged that the platform failed to register as a securities and commodities broker but told investors that it was fully in compliance. According to the New York AG’s complaint, the platform promoted and sold securities through an interest-bearing virtual currency account that promised high returns for participating investors. The New York AG said that a cease-and-desist letter was sent to the platform in October 2021, and that while the platform stated it was “working diligently to terminate all services” in the state, it continued to handle more than 5,000 accounts as of July. The complaint charges the platform with violating New York’s Martin Act and New York Executive Law § 63(12), and seeks restitution, disgorgement of profits, and a permanent injunction. The announcement also noted the SEC entered into a separate settlement with the firm for the same penalty amount, alleging that it to register the offer and sale of its retail crypto-asset lending product (covered by InfoBytes here).

    State Issues Digital Assets Enforcement DFPI Securities California New York

  • California investigating mobile apps’ CCPA compliance

    Privacy, Cyber Risk & Data Security

    On January 27, the California attorney general announced an investigation into mobile applications’ compliance with the California Consumer Privacy Act (CCPA). The AG sent letters to businesses in the retail, travel, and food service industries who maintain popular mobile apps that allegedly fail to comply with consumer opt-out requests or do not offer mechanisms for consumers to delete personal information or stop the sale of their data. The investigation also focuses on businesses that fail to process consumer opt-out and data-deletion requests submitted through an authorized agent, as required under the CCPA. “On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent,” the AG said, adding that authorized agent requests include “those sent by Permission Slip, a mobile application developed by Consumer Reports that allows consumers to send requests to opt out and delete their personal information.” The AG encouraged the tech industry to develop and adopt user-enabled global privacy controls for mobile operating systems to enable consumers to stop apps from selling their data.

    As previously covered by InfoBytes, the CCPA was enacted in 2018 and took effect January 1, 2020. The California Privacy Protection Agency is currently working on draft regulations to implement the California Privacy Rights Act, which largely became effective January 1, to amend and build upon the CCPA. (Covered by InfoBytes here.)

    Privacy, Cyber Risk & Data Security State Issues State Attorney General California CCPA Compliance Opt-Out Consumer Protection CPRA

  • 4th Circuit affirms certification of class action in tribal lending case

    Courts

    On January 24, the U.S. Court of Appeals for the Fourth Circuit concluded that a district court did not abuse its discretion when certifying a class action. The lawsuit alleges an individual who orchestrated an online payday lending scheme violated the Racketeer Influenced and Corrupt Organization Act (RICO), engaged in unjust enrichment, and violated Virginia’s usury law by partnering with federally-recognized tribes to issue loans with allegedly usurious interest rates. (Covered by InfoBytes here.) The plaintiffs alleged the defendant partnered with the tribes to circumvent state usury laws even though the tribes did not control the lending operation. The district court stated that, as there was “no substantive involvement” by the tribes in the lending operation and that the evidence showed that the defendant was “functionally in charge,” the lending operation—which allegedly charged interest rates exceeding Virginia’s 12 percent interest cap—could not claim tribal immunity. 

    After the district court certified two borrower classes, the defendant appealed, arguing, among other things, that “[b]orrowers entered into enforceable loan agreements with lending entities in which they waived their right to bring class claims against him,” and that “common issues do not predominate so as to permit class treatment in this case.” Specifically, the defendant claimed that his role in the lending operations changed throughout the class period, and that individualized “proof” and “tracing” would be necessary to prove that he “participated in the direction of the affairs of the alleged enterprise” or that he received some portion of each borrower’s interest payments.

    On appeal, the 4th Circuit disagreed with the defendant’s assertions. It found no reason to question the district court’s conclusion that the defendant was the “de facto” head of the lending operations throughout the class period. “And the fact that [the defendant] served as the ‘de facto head’ of the lending operations for the entire class period supports the district court’s determination that the Borrowers will be able to use common proof to show that [the defendant] ‘participated in the direction of the’ lending operations such that common questions predominate over individual questions[,]” the appellate court stated. The 4th Circuit further concluded that the “record supports the district court’s conclusion that [the defendant] lied when he said he was never involved in receiving or demanding payments on [the lending operation’s] loans.”

    Courts Appellate RICO Tribal Lending Consumer Finance Payday Lending Usury Interest Rate Class Action State Issues Virginia

Pages

Upcoming Events