InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois amends mortgage licensing provisions
On June 30, HB 2325 (the “Act”) was signed by the Illinois governor to amend The Residential Mortgage License Act of 1987. According to the amendments, residential mortgage licensees in Illinois must register every physical office where they conduct business with the Secretary of Financial and Professional Regulation. However, they are allowed to permit mortgage loan originators to work from a remote location if certain conditions are fulfilled. Conditions include but are not limited to: (i) the licensee must have written policies and procedures for supervising remote mortgage loan originators; (ii) access to company platforms and customer information must comply with the licensee's information security plan; (iii) mortgage originators' residences cannot be used for in-person customer interactions unless the residence is a licensed location; (iv) physical records cannot be stored at remote locations; and (v) electronics used at remote locations must be able to securely access the company’s systems. Moreover, "remote location" is not considered a full-service office as defined by the regulations. If the loan originator works remotely, their primary office is the office registered on the Nationwide Multistate Licensing System and Registry record, unless they choose another licensed branch.
The Act is effective January 1, 2024.
Nevada requires licenses for EWA providers
The Nevada governor recently signed SB 290 (the “Act”) outlining several requirements for providers of earned wage access (EWA) products. EWA products allow individuals to access their earned income before receiving their regular paycheck. To operate such services in Nevada, providers must obtain a license from the Nevada Commissioner of Financial Institutions. The licensing requirements apply to both “employer-integrated” services, where the provider receives verified data directly from the employer or the employer’s payroll service to deliver unpaid wages, and “direct-to-consumer” services where the provider delivers unpaid wages after verifying the earned income based on data not obtained from the employer or their payroll service. Notably, the Act specifies that EWA products are not loans or money transmissions under Nevada law and are not subject to existing laws governing these products. The Act outlines application and fee requirements (licenses will be issued via the Nationwide Multistate Licensing System and Registry) and requires licensed EWA providers to submit annual reports to the commissioner by April 15 of each year.
Providers of EWA products are also subject to certain prohibitions, which include: (i) sharing any fees, voluntary tips, gratuities, or other donations with an employer; (ii) the use of credit reports or credit scores to determine eligibility for an EWA service; (iii) the imposition of late fees or penalties for nonpayment by users; (iv) the reporting of a user’s nonpayment to a consumer reporting agency or a debt collector; (v) coercion of users to make payments through civil action; and (vi) restrictions on using a third-party collector or debt buyer to pursue collections from a user.
Additionally, EWA providers must, among other things, (i) implement policies and procedures to respond to questions and complaints raised by users (responses must be provided within 10-business days of receipt); (ii) disclose to the user his or her rights, as well as all related fees, prior to entering an agreement; (iii) allow users to cancel their EWA agreements at any time without being charged a fee; (iv) conspicuously disclose that any tips, gratuities, or donations paid by the user do not directly benefit any specific employee of the EWA provider or any other person (providers must also allow users to select $0 as an amount for such a tip); (v) comply with the EFTA when seeking payment of outstanding proceeds, fees, or other payments from a user’s depository account; and (vi) reimburse users for any overdraft or non-sufficient funds fees incurred as a result of the provider attempting to collect payment on a date earlier than disclosed to the user or in an amount different from what was disclosed.
On or before September 30, the commissioner is required to prescribe application requirements. EWA providers who were engaged in the offering of EWA services as of January 1, 2023, may continue to provide services until December 31, 2024, if the provider submits an application for licensure by January 1, 2024, and otherwise complies with the Act’s provisions. The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on July 1, 2024, for all other purposes.
Connecticut implements measures for auto-renewals
On June 28, the Connecticut governor signed HB 5314 (the “Act”), enacting measures relating to automatic renewal offers and consumer agreements. The Act, among other things, includes newly defined terms such as “automatic renewal provision.” The Act stipulates that any business that enters into a consumer agreement that contains an automatic renewal or continuous services provision must provide various consumer notices and enable any consumer who enters into such an agreement online to terminate online. Notices include a description of the actions the consumer must take to terminate, and if disclosed electronically, a link or other electronic means. Also, to be disclosed before renewal, in any consumer agreement containing an automatic renewal provision, must be the amount of the recurring charge and the amount of the change if the charges are subject to change (if such change in amount is known by the business). The business must further disclose the length of the term for such an agreement, unless the consumer chooses the length of the term, as well as any minimum purchase obligations and contact information for the business. The business must also establish a means for communication with consumers, such as email, toll-free phone number, or website if the agreement is contracted online. The Act also stipulates the nature of the disclosures for consumers before entering such an agreement, before the business makes a material change to the terms of the agreement, and before a consumer enters an agreement that offers a gift or free trial period. Additionally, the Act provides that no person doing business can impose any charge or fee for providing bills to consumers in paper form.
The Act is effective October 1.
Texas enacts data broker requirements
The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.
The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.
The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.
Connecticut establishes rules for virtual currency kiosks
On June 27, the Connecticut governor signed HB 6752 (the “Act”) to establish certain requirements for owners or operators of virtual currency kiosks in the state. Among other things, the commissioner has the authority to establish regulations, forms, and orders that govern the use of digital assets, such as virtual currencies and stablecoins, by regulated entities and individuals. When adopting, amending, or rescinding any such regulation, form, or order, the commissioner may consult with federal financial services regulators, regulators from other states, as well as other stakeholders and industry professionals to promote the consistent treatment and handling of digital assets. Definitions for “virtual currency address,” “virtual currency kiosk,” and “virtual currency wallet” have also been added.
The Act further provides that prior to engaging in an initial virtual currency transaction with a customer, the owner or operator of a virtual currency kiosk is required to provide clear and conspicuous written disclosures in English regarding the material risks associated with virtual currency. These disclosures should cover several key points, including a prominent and bold warning acknowledging that losses resulting from fraudulent or accidental transactions may not be recoverable, transactions in virtual currency are irreversible, and that the nature of virtual currency may lead to an increased risk of fraud or cyber-attack. Disclosures must also address a customer’s liability for unauthorized virtual currency transactions, a customer’s right to stop payment for a preauthorized virtual currency transfer (along with the process to initiate a stop-payment order), and circumstances in which the owner or operator will disclose information regarding the customer’s account to third parties, unless required by a court or government order. Additionally, customers must be provided upfront information relating to the amount of the transaction, any fees, expenses, and charges, and any applicable warnings. It is the responsibility of the owner or operator of a virtual currency kiosk to ensure that every customer acknowledges the receipt of all disclosures mandated by the Act, and to provide receipts upon completion of any virtual currency transaction. The Act is effective October 1.
Connecticut amends requirements for small lenders
On June 29, SB 1033 (the “Act) was enacted in Connecticut to amend the banking statutes. The Act, among other things, (i) redefines “small loan”; (ii) redefines “APR” to be calculated based on the Military Lending Act and include the cost of ancillary products among other fees as part of the “finance charge”; (iii) requires more people to obtain small loan licenses; (iv) requires that certain small loans are worth $5,000-$50,000, which is intended to capture larger loans particularly for student borrowers who may enter into income sharing agreements; (v) prohibits small loans from providing for an advance exceeding an unpaid principal of $50,000; and (vi) eliminates a requirement that certain people demonstrate an ability to supervise mortgage servicing offices in person. The Act also includes new licensing provisions, adding that any person who acts as an agent or service provider for a person who is exempt from licensure requires licensure if (i) they have a predominant economic interest in a small loan; (ii) they facilitate and hold the right to purchase the small loan, receivables or interest in the small loan; or (iii) the person is a lender who structured the loan to evade provisions in the Act. If the facts and circumstances deem the person a lender, they must be licensed under the Act.
New Hampshire amends rules for interest on escrow accounts
On June 20, New Hampshire enacted HB 520 (the “Act”) to amend provisions relating to escrow accounts maintained by licensed nondepository mortgage bankers, brokers, and servicers. The Act amends guidelines surrounding interest payments to escrow accounts maintained for the payment of taxes or insurance premiums related to loans on single family homes in New Hampshire and property secured by real estate mortgages. For both (single family homes and property) accounts, payments must be at a rate no less than the National Deposit Rate for Savings Accounts. Further, interest payments during the six-month period beginning on April 1 of each year, must be no less than the FDIC published rate in January of the same year, whereas interest payments during the six-month period beginning on October 1 of each year, must be no less than the FDIC published rate in July of the same year.
The Act was effective upon its passage.
Nevada to regulate student loan servicers and lenders
On June 14, the Nevada governor signed AB 332 (the “Act”) which provides for the licensing and regulation of student loan servicers. The Act also implements provisions for the regulation of private education loans and lenders. Among other things, the Act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Commissioner of Financial Institutions. Specifically, the Act states that a person seeking to act as a student loan servicer is exempt from the application requirements only if the commissioner determines that the person’s servicing performed in the state is conducted pursuant to a contract awarded by the U.S. Secretary of Education.
The Act also outlines numerous requirements relating to licensing applications, including that the commissioner may participate in the Nationwide Multistate Licensing System and Registry (NMLS), and may instruct NMLS to act on his or her behalf to, among other things, collect and maintain records of applicants and licensees, collect and process fees, process applications, and perform background checks. The commissioner is also permitted to enter into agreements or sharing arrangements with other governmental agencies, the Conference of State Bank Supervisors, the State Regulatory Registry, or other such associations. Additional licensing provisions set forth requirements relating to licensing renewals, reinstatements, surrenders, and denials; liquidity standards; and bond requirements. The commissioner is also granted general supervisory, investigative, and enforcement authority relating to student loan servicers and student education loans and may impose civil penalties for violations of the Act’s provisions. The commissioner must conduct investigations and examinations at least once a year (with licensees being required to pay for such investigations and examinations). The Act further provides that the student loan ombudsman shall enter into an information sharing agreement with the office of the attorney general to facilitate the sharing of borrower complaints.
With respect to private education lenders, the Act establishes certain protections for cosigners of private education loans and prohibits private education lenders from accelerating the repayment of a private education loan, in whole or in part, except in cases of payment default. A lender may be able to accelerate payments on loans made prior to January 1, 2024, provided the promissory note or loan agreement explicitly authorizes an acceleration based on established criteria. The Act also sets forth responsibilities for lenders in the case of the total and permanent disability of a private education loan borrower or cosigner, including cosigner release requirements. Additional provisions outline prohibited conduct and create requirements and prohibitions governing lenders’ business practices. Furthermore, private education lenders are not exempt from any applicable licensing requirements imposed by any other specific statute.
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on January 1, 2024 for all other purposes.
Rhode Island enacts provisions for real estate appraisal
On June 20, the Rhode Island state governor signed SB 850 (the “Act”), which amends the Real Estate Appraiser Certification Act and the Real Estate Appraisal Management Company (AMC) Registration Act for consistency with federal laws and recommendations from the appraisal subcommittee. Among other things, the Act includes new terminology, including “covered transaction” and “state-licensed real estate appraiser.” This Act sets forth numerous additional provisions, one of which requires that appraisals must be performed by licensed or certified appraisers unless they are specifically exempt under federal law. Also amended are state-certified appraisers and state-licensed appraisers’ classifications. Specifically, the text defining residential property appraisal is replaced with a general statement that requirements for certification and licensing of appraisers will be “as required by the appraiser qualifications board of the appraisal foundation.” Another addition addresses the continuing education requirement for state-licensed and state-certified real estate appraisers, which now stipulates that up to one-half of an individual’s continuing education requirement may be completed by participation in certain educational activities approved by the board. Concerning registration, the Act contains a new subsection, detailing that AMCs cannot be registered in the state if any owner (an individual who owns more than 10 percent) of the AMC fails to submit to a background check or any owner is determined by the director to not have good moral character. Among other amendments, the Act also stipulates that registration is now valid for only one year (previously two years) after issuance.
The Act is effective upon passage.
Nevada enacts health data privacy measures
On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.
The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.
Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability. Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.
The Act is effective March 31, 2024.