InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB sends letters of support for New York’s pending unfair and abusive conduct prohibition
On March 19, the CFPB published a blog post providing input on New York State’s proposed prohibition on unfair and abusive acts, urging passage of A 7138 and S 795, companion bills that are titled the “Consumer and Small business Protection Act” (the “Acts”). The blog post followed the CFPB’s delivery of letters in support of the Act to Governor Hochul, state senators, and state assembly members.
The Acts would expand Section 349 of New York’s general business law to prohibit unfair or abusive acts or practices, in addition to the existing prohibition on deceptive acts or practices. The Acts would also give the New York attorney general authority to bring an action for unfair, unlawful, deceptive, or abusive acts or practices, “regardless of whether or not the underlying violation is directed at individuals or businesses, is consumer-oriented, or involves the offering of goods, services, or property for personal, family or household purposes,” and would give “any person who has been injured by reason of any violation of this section” authority to bring “an action to recover one thousand dollars and his or her actual damages, if any, or both such actions, … regardless of whether or not the underlying violation is consumer-oriented, has a public impact or involves the offering of goods, services or property for personal, family or household purposes.”
The Acts defined an act or practice as unfair “when it causes or is likely to cause substantial injury, the injury is not reasonably avoidable, and the injury is not outweighed by countervailing benefits.” They provided that an “act or practice is deceptive when the act or practice misleads or is likely to mislead a person and the person’s interpretation is reasonable under the circumstances,” and that an act or practice is abusive when “it materially interferes with the ability of a person to understand a term or condition of a product or service,” or “takes unreasonable advantage of: (A) a person’s lack of understanding of the material risks, costs, or conditions of a product or service; (B) a person’s inability to protect his or her interests in selecting or using a product or service; or (C) a person’s reasonable reliance on a person covered by this section to act in his or her interests.” The Bureau’s letters to the state governor and legislature noted that the “reasonable reliance” component of the Acts is “critical,” and like the federal prohibition that “recognizes that people often reasonably expect that certain businesses will help them make difficult financial decisions, and there is potential for betrayal or exploitation of that trust.” The CFPB also mentioned that it has brought numerous actions based on that particular component.
The Acts provided that “standing to bring an action under this section, including but not limited to organizational standing and third-party standing, shall be liberally construed and shall be available to the fullest extent otherwise permitted by law.” Further, “[a]ny individual or non-profit organization entitled to bring an action” under the Acts “may, if the prohibited act or practice has caused damage to others similarly situated, bring an action on behalf of himself or herself and such others to recover actual, statutory and/or punitive damages or obtain other relief as provided for in” the Acts. A nonprofit also may bring an action on behalf of itself, its members, or members of the public that have been injured by a violation of the Acts. Nonprofits may seek the same remedies and damages as individuals.
Wisconsin enacts SB 628 to protect vulnerable adults
On March 22, the Governor of Wisconsin signed SB 628 (the “Act”), which “allows financial service providers to refuse or delay financial transactions when financial exploitation of a vulnerable adult is suspected.”
The Act would authorize financial service providers to refuse or postpone financial transactions on accounts held by or benefiting a vulnerable adult—a term defined as “an adult at risk or an individual who is at least 65 years of age”—if there is a reasonable suspicion of financial exploitation. The Act would not mandate covered financial service providers, which included financial institutions, mortgage bankers, brokers, and loan originators, among others, to take such action. Additionally, financial service providers were allowed, but not obligated, to act on information from elder-adult-at-risk agencies, adult-at-risk agencies, or law enforcement regarding potential financial exploitation. The Act mandated that financial service providers give notice when transactions are refused or delayed and defined the time limits for such actions. It also permitted financial service providers to refuse to accept a power of attorney if financial exploitation is suspected. Moreover, the Act outlined a procedure for financial service providers to compile a list of contacts that a vulnerable adult authorizes, which can be used if exploitation is suspected, and authorized the financial service provider to share its suspicions with designated individuals, including those on the list. Financial service providers acting in good faith would be granted immunity from any criminal, civil, or administrative liability for actions such as (i) refusing or not refusing a financial transaction; (ii) refusing to accept or accepting a power of attorney; (iii) contacting or not contacting a person to convey suspicion of financial exploitation; and (iv) any action based on a reasonable determination related to these measures. The Act went into effect on March 23.
South Dakota enacts new money transmission law, aligning the law to the Money Transmission Modernization Act
Recently, the Governor of South Dakota, Kristi Noem, signed into law SB 58, which amended and repealed many parts of the state’s money transmission law enacted in 2023 to bring the law more into alignment with a model Money Transmitter Model Law. South Dakota was one of several states that have enacted the model law since 2022 (covered by InfoBytes here, here, here, and here), to harmonize the licensing and regulation of money transmitters between states.
Among many other new provisions, the Act defined “money” to mean a “medium of exchange that is authorized or adopted by the United States or a foreign government” but excluded any central bank digital currency. Additionally, the Act provided for several exemptions, such as the “agent of a payee” exemption, which exempted an agent who collects and processes payment from a payor to a payee for goods and services other than money transmission itself from the Act’s coverage, under certain specified circumstances.
The Act also imposed a licensing regime on persons engaged in the business of money transmission and authorizes and encourages the South Dakota Director of the Division of Banking (Director) to coordinate the licensing provisions with other states and utilize the Nationwide Multistate Licensing System for the license applications, maintenance, and renewals. SB 58 amended the required surety bond amount from $100,000 to $500,000, to the greater of $100,000 or an amount equal to the licensee’s average daily money transmission liability in South Dakota for the most recent three-month period, up to a maximum of $500,000, or if the licensee’s tangible net worth exceeds 10% of total assets, $100,000.
Once a license application is completed, the Director will have 120 days to approve or deny the application. In addition to the license application process, the Act also outlined the criteria for renewing, maintaining, and changing control of the license, as well as the licensee’s responsibility to keep records and maintain permissible investments. Notably, if a licensee is transmitting virtual currencies, then the licensee must “hold like-kind virtual currencies of the same volume as that held by the licensee but that is obligated to consumers” instead of the permissible investments otherwise listed under the Act. The Act will go into effect on July 1.
Utah enshrines two acts to create cybersecurity notification guidelines
On March 19, Utah enacted SB 98 which amended the state’s online data security and privacy requirements. SB 98 will include new protocols that individuals and governmental entities must follow under its data breach reporting requirements. SB 98 will require individuals and governmental entities to provide specific information about the breach, including, among other things: (i) when the data breach occurred; (ii) when the data breach was discovered; (iii) the total number of individuals affected by the breach, with a separate count for Utah residents; (iv) the type of personal data involved; (v) a brief description of the data breach; and only for government entities (vi) the path of means by which access was granted to the system if known; (vii) the individual or entity who perpetrated the breach if known; and (viii) the actions taken by the governmental entity to mitigate the effects of the breach. Additionally, the Cyber Center will be tasked with assisting the governmental entity in responding to breaches. This assistance may include: (a) conducting or participating in an internal investigation; (b) assisting law enforcement with their investigation if necessary; (c) determining the scope of the data breach; (d) helping the entity to restore the integrity of the compromised system; and (e) providing any other necessary support in response to the breach.
On that same day, the governor also signed into law HB 491 which enacted the Government Data Privacy Act. Similarly, the bill will describe the duties of state government agencies related to personal data privacy, including breach notification requirements, limits on data collection and use, and the ability to correct and access personal data. On structure, the bill created the Utah Privacy Governing Board to recommend changes in the state privacy policy, established the Office of Data Privacy to coordinate implementation of privacy protections, and named the Personal Privacy Oversight Commission to the Utah Privacy Commission and amended the commission’s duties. Both SB 98 and HB 491 will go into effect on May 1.
Virginia enacts HB 880, provides protections from lien enforcement against primary residences
On March 8, the Governor of Virginia signed HB 880 (the “Act”), which will prohibit enforcement of a lien against real estate if the real estate is the judgment debtor’s primary residence and the amount of the lien does not exceed $25,000. Additionally, if the lien will arise from fees charged by a common interest community association (under certain chapters of Virginia law), the Act will prohibit court action to enforce the lien, given the sum of all judgments, (excluding interest and costs), is $5,000 or less. The Act will also impose recordkeeping requirements for such common interest community associations, specifically, (i) to maintain individual assessment account records; and (ii) to maintain records of any recorded lien during its effective duration. The Act will go into effect on July 1.
Indiana enacts SB 220 on cyber incident notification guidelines
On March 11, the Governor of Indiana signed SB 220 (the “Act”) which will add cyber incident notification guidelines for financial institutions. The Act defined the term "corporation" as the following entities organized in Indiana, including a (i) bank; (ii) trust company; (iii) corporate fiduciary; (iv) savings bank; (v) savings association; (vi) industrial loan and investment company with federal deposit insurance; (vii) credit union; and (viii) bank of discount and deposit.
According to the Act, a corporation will be required to inform the director of the department about a reportable cyber incident or notification incident following the same protocol mandated by the corporation's federal regulatory body or deposit insurance provider. If a corporation does not have a federal regulatory body or deposit insurance provider, it must report the cyber incident to the director of the department using the procedures outlined in U.S.C. 12 CFR 748.1(c), which despite typically applying to federally insured credit unions, will also apply to corporations. The Act will go into effect on July 1.
Utah amends provisions on notifications and definitions of commercial financing transactions
On March 13, the Governor of Utah signed into law SB 25, a bill that amended certain provisions related to commercial financing transactions, specifically repealing provisions related to disclosing commercial financing transactions and adding the requirement that a party subject to the notification requirement must submit evidence of registration with the NMLS. The bill also amended Section 7-27-101 of the Laws of Utah, to update the definition of the term “broker” and separate it from the term “provider.” Under Section 7-27-202, the bill removed certain disclosures for commercial financing transactions, including disclosures previously required for open-end credit plans after disbursing funds. Additionally, under Section 70C-1-302, the bill updated two more defined terms: “Commissioner” and “Nationwide database.” Lastly, under Section 70C-8-202, the bill amended certain notification requirements, specifically indicating the party shall file a notification via the NMLS, and such notification will be required annually on or before December 31. The bill will go into effect on May 1.
Utah amends its Consumer Sales Practices Act
On March 13, the Governor of Utah signed HB 443 (the “Act”), also known as the Utah Consumer Sales Practices Act Amendments, into law. The Act will amend class action lawsuits and will clarify provisions related to “targeted solicitations” involving financial information. According to the Act, “targeted solicitation” will be defined as any written or oral advertisement for a product or service that (i) is addressed to the consumer’s personal account; (ii) contains specific account information (iii) is offered by a supplier that is not sponsored by or affiliated with the financial institution managing a consumer’s personal account; and (iv) is not authorized by the financial institution managing the consumer’s personal account. The Act will go into effect on May 1.
Indiana enacts HB 1284 regarding change in terms for deposit accounts
On March 12, the Governor of Indiana signed HB 1284 which codified a new chapter regarding a contract for a deposit account between a depository institution and a consumer may be changed occasionally, subject to the terms of the deposit account agreement. The bill will provide that after continued use of the deposit account by the consumer after a modification to the agreement has been disclosed through written notice by the depository institution, then it will be considered clear or “prima facie” evidence that the consumer will accept the new terms. The depository institution must provide written notice of the changes at least 30 days before the effective date of any change to the deposit account agreement. The bill will go into effect on July 1.
Utah amends credit report disclosures to protect consumers
On March 13, the Governor of Utah signed into law HB 99, a bill that amended certain provisions related to consumer credit protections. Specifically, the bill made an addition to the Credit Services Organizations Act at Utah Code 13-21-7.5, adding a disclosure requirement when a credit services organization provides a credit report to a consumer. The disclosure must identify the consumer reporting agency that provided the information, the credit score model used to calculate the score, and the minimum and maximum possible scores under the model. This bill will go into effect May 1.