InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS settles with bank for compliance failures
On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.
NY proposes amendments of debt collector rules
On September 30, the New York City Department of Consumer and Worker Protection (Department) published proposed amendments to its rules relating to debt collectors. The proposed amendments to its 2020 rules, which require debt collectors to inform consumers about language access services, come in response to the CFPB’s 2020 updates to the FDCPA, and the Department’s 2022 public hearing, among other things. The proposed rule (i) repeals a section requiring debt collection agencies to give consumers certain disclosures when collecting on time-barred debt; (ii) requires debt collection agencies to maintain an annual report identifying certain actions taken by the agency in any language; (iii) expands the list of required records to cover compliance with relevant laws and rules, as well as a monthly log of all debt collection-related communications by any medium between the agency and the consumer; and (iv) adds definitions relating to communications with consumers, such as “attempted communication,” “clear and conspicuous,” “covered medical entity,” “limited-content message,” “original creditor” and “originating creditor.”
Delaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
CPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
NYDFS updates criteria for virtual currency regulation
Adrienne Harris, Superintendent of the New York State Department of Financial Services (“DFS”) issued an update on the VOLT initiative, an ongoing project to enhance DFS’s role as a virtual currency regulator. Superintendent Harris published proposed guidance adopting enhanced criteria for procedures to list and de-list virtual currencies as well as updated guidance for designating virtual currencies to the DFS “Greenlist.”
The new General Framework for Greenlisted Coins sets (i) heightened risk assessment standards for coin-listing policies and enhances requirements for consumer-facing products; and (ii) new requirements associated with coin-delisting policies. Under the new guidance, a virtual currency entity that seeks to self-certify coins must create a coin-listing policy and may not self-certify any coins until such possibly has a written approval from DFS. A coin-listing policy must contain and be based on a robust governance structure; comprehensive risk assessment; consideration of factors to identify and mitigate risks involved in each coin and its uses; and policies and procedures to conduct continued monitoring of the coin to ensure consistent safety and soundness compliance.
The new framework does not require prior approval from the DFS to list coins included on the Greenlist, but does require virtual currency entities that choose to list such coins to (i) provide advance notification to DFS and (ii) have a DFS-approved coin-delisting policy.
California AG advocates for medical payment reforms
California Attorney General Rob Bonta submitted a letter to federal agencies urging the federal government to adopt regulations and statutory protections to help protect patients who may need to use medical credit cards and installment loans to pay for healthcare-related bills.
The letter notes that medical payment products exacerbate health disparities, that patients seeking medical care may not be in an appropriate position to make complex financial decisions, and offers California’s protections against medical payment products as a model framework.
In the letter, which is addressed to the U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, the CFPB, and the Treasury, Bonta recommends (i) designating medical credit card debt as medical debt and not consumer debt; (ii) ensuring providers properly screen patients for financial aid and charity care before offering a medical payment product; (iii) limiting enrollment when patients may be distressed or under the influence of medication; (iv) providing written notice of financial assistance and potential eligibility for charity care; (v) making reasonable efforts to notify patients about the level of insurance coverage of medical expenses; and (vi) reducing patient cost-sharing responsibilities.
California governor signs executive order on GenAI
On September 6, California Governor Gavin Newsom signed an Executive Order (E.O.) instructing state agencies to evaluate how generative artificial intelligence (GenAI) may impact the State and its residents. Specifically, the E.O. requires certain state agencies to provide a report to the Governor which will examine “the most significant, potentially beneficial uses” of GenAI tools by the state. The report must also discuss “the potential risks to individuals, communities, and government and state government workers” from GenAI tools. Certain California agencies, including the Department of Technology, must perform a “risk analysis of potential threats to and vulnerabilities of California’s critical energy infrastructure by the use of GenAI.” The E.O. also requires that the State issue “general guidelines for public sector procurement, uses, and required training for use of GenAI,” and consider pilots of GenAI projects to be tested in “sandboxes.” Lastly, the E.O. directs the State to pursue a formal partnership with certain California higher education institutions to study the impacts of GenAI and support its safe growth.
California AG announces settlement with mortgage servicer
On September 1, California Attorney General (AG) Rob Bonta announced a settlement with a mortgage servicer for its alleged failure to properly process and grant mortgage deferment requests from California military reservists called to active duty. California’s Military and Veterans Code, which includes the California Military Families Financial Relief Act, allows reservists to delay paying mortgages, credit cards, property taxes, car loans, utility bills, and student loans. To defer payment, they must submit a written request and their military orders to the entity to which their payments are due. The AG noted that the California Department of Justice investigated the mortgage servicer’s processes for handling mortgage deferment requests and found that the servicer delayed granting the deferment requests, requested information for eligibility review outside of the 30-day timeframe to do so, and improperly denied deferment requests, on at least 10 occasions. Furthermore, the servicer allegedly attempted to collect payment from some borrowers during the requested deferral period by making calls and sending notices that warned that the servicer would foreclose on the borrowers’ properties if they failed to pay. The servicer also allegedly incorrectly charged some borrowers late fees and other charges for nonpayment of payments that should have been deferred. Finally, the servicer allegedly provided incorrect negative credit information to credit reporting agencies.
Under the terms of the settlement, the servicer agreed to, among other things, (i) pay $58,000 in civil money penalties; (ii) “remediate consumer harm”; (iii) disclose deferment request status to borrowers; and (iv) provide annual reports to the AG documenting compliance with the injunctive terms.
DFPI finalizes small business UDAAP and data reporting rule
DFPI recently approved the final regulation for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. After considering comments and releasing three rounds of modifications to Sections 1060, 1061, and 1062, the final regulation will, among other things, bring protections to small businesses seeking loans, by (i) defining and prohibiting unfair, deceptive, and abusive acts and practices in the offering or provision of commercial financing to small businesses, nonprofits, and family farms; and (ii) establishing data collection and reporting requirements.
Previous InfoBytes coverage on the (i) initial modifications to the CCFPL proposed regulation can be found here; (ii) the second round of CCFPL modifications proposal is found here; and (iii) the third iteration of the modified CCFPL proposal is located here.
This DFPI regulation was notably finalized on the heels of the CFPB’s finalized Section 1071 rule on small business lending data, which similarly will require financial institutions to collect and provide the Bureau data on lending to small businesses (covered by InfoBytes here)
Sections 1060, 1061, and 1062 will be effective on October 1.
DFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here, here, and here) for allegedly offering and selling unqualified securities, and making material misrepresentations and omissions to investor related to cryptocurrency investments. The entities allegedly created high-yield investment programs (HYIPs), which DFPI characterizes as “investment frauds that typically promise high returns with low risk, promise overly consistent returns, provide little details about the people running the HYIP, use vague language to describe how the HYIP makes money, offer referral bonuses, facilitate deposits and withdrawals with crypto assets, and use social media to gain attention and attract investors.”
The cease and desist orders are just one of the tools DFPI employs to address investment scams involving crypto assets, also using enforcement actions, social media, and a Crypto Scam Tracker. DFPI has posted videos to its social media accounts that are directed towards the same group of individuals targeted by the crypto community in order to educate investors about its enforcement actions and violations of law. The Crypto Scam Tracker was launched earlier this year to help Californian’s identify and avoid scams involving cryptocurrency. (Covered by InfoBytes here).