Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Tennessee becomes 8th state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, and Indiana. TIPA applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Tennessee residents or (ii) controls or processes personal data of at least 25,000 Tennessee residents and derives 50 percent of gross revenue from the sale of personal data. TIPA provides for several exemptions, including financial institutions and data governed by the Gramm-Leach-Bliley Act and certain other federal laws, as well as covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of TIPA include:

    • Consumers’ rights. Under TIPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; request what categories of information were sold or disclosed; and opt out of the sale of their data.
    • Controllers’ responsibilities. Data controllers under TIPA will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) not processing data for reasons incompatible with the specified purpose; (v) securing personal data from unauthorized access; (vi) not processing data in violation of state or federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (ix) providing clear and meaningful privacy notices. TIPA also sets forth obligations relating to contracts between a controller and a processor.
    • No private right of action but enforcement by state attorney general. TIPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of up to $15,000 per violation and treble damages for willful or knowing violations. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
    • Right to cure. Upon discovering a potential violation of TIPA, the attorney general must give the data controller written notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit.
    • Affirmative defense. TIPA establishes an affirmative defense for violations for controllers and processors that adopt a privacy program “that reasonably conforms” to the National Institute of Standards and Technology Privacy Framework and complies with required provisions. Failing “to maintain a privacy program that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy” will be considered an unfair and deceptive act or practice under Tennessee law.

    TIPA takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Tennessee Consumer Protection

  • Maryland eliminates separate licensing requirement for branches

    On May 8, the Maryland governor signed HB 686 to eliminate a requirement that collection agencies and certain non-depository financial institutions must maintain separate licenses for branch locations. The Act now allows such entities to conduct business at multiple licensed locations under a single license. The Act also amends and clarifies other provisions relating to application requirements, licensee information listed in the Nationwide Multi-State Licensing System and Registry, requirements when using trade names, examinations, Commissioner of Financial Regulation assessments, and surety bond requirements. The Act is effective July 1.

    Licensing State Issues State Legislation Maryland NMLS Debt Collection

  • New York proposes “landmark” crypto legislation

    State Issues

    On May 5, New York Attorney General Letitia James announced proposed legislation to increase oversight of the cryptocurrency industry. Calling the “landmark legislation” the “strongest and most comprehensive set of regulations on cryptocurrency in the nation,” James said the bill would increase transparency, eliminate conflicts of interest, and impose “commonsense” investor protection measures consistent with other financial services regulations. Among other things, the bill would strengthen NYDFS’ regulatory authority over digital assets and codify the Department’s ability to license digital asset brokers, marketplaces, investment advisors, and issuers prior to engaging in business in the state. NYDFS would also be given jurisdiction to enforce violations of law within the crypto industry, including by issuing subpoenas; imposing civil penalties of $10,000 per violation per individual or $100,000 per violation per firm; collecting restitution, damages, and penalties; and shutting down businesses found to be engaging in fraud and illegal activities.

    The bill would also strengthen investor protections by enacting and codifying “know-your-customer” protections, “[b]anning the use of the term ‘stablecoin’ to describe or market digital assets unless they are backed 1:1 with U.S. currency or high-quality liquid assets as defined in federal regulations,” and requiring crypto platforms to reimburse victims of fraud, similar to a bank’s responsibility under the EFTA. Other provisions would, among other things, (i) implement protections to stop conflicts of interest, including by preventing common ownership of crypto issuers, marketplaces, brokers, and investment advisers and preventing such persons from engaging in more than one of those activities; and (ii) require public reporting of financial statements to increase transparency and mandate that companies be required to undergo independent audits and publish audited financial statements, among other things.

    The proposed bill will be submitted by the attorney general’s office to the New York Senate and Assembly for their consideration during the 2023 legislative session.

    State Issues Digital Assets State Legislation State Attorney General Cryptocurrency New York EFTA Fintech

  • Maryland amends student financing company registration

    On May 8, the Maryland governor signed HB 913 to amend certain provisions relating to student financing company registration and reporting requirements. Among other things, the Act defines the term “student financing company” to mean “an entity engaged in the business of securing, making, or extending student financing products, or any purchaser, assignee, or holder of student financing products.” Student financing companies seeking to provide services in the state will be required to register with the Commissioner of Financial Regulation beginning March 15, 2024. Additionally, the Act provides that a student financing company seeking to renew its registration on an annual basis may be required to pay a fee at the time of renewal. The Act also authorizes the Commissioner to adopt registration procedures for student financing companies, including the use of the Nationwide Multi-State Licensing System and Registry, and may impose certain fees for using the registry. Additionally, the Act makes several technical clarifying provisions to the reporting requirements for student financing companies to be filed with the Commissioner annually on or before March 15. Furthermore, on or before June 15, 2024 (and each June 15 thereafter), information reported by the student financing companies will be available on a publicly accessible website to be developed and maintained by the Commissioner. The Act is effective October 1.

    Licensing State Issues State Legislation Maryland Student Lending

  • Indiana amends mortgage loan originator licensing requirements

    On May 4, the Indiana governor signed SB 452 to amend Indiana code governing financial institutions. Among other things, the Act amends a provision to require the Department of Financial Institutions to adopt emergency rules no later than June 30, 2024, to authorize certain licensees (or certain exempt persons aside from a person that has voluntarily registered with the Department) “to sponsor one (1) or more mortgage loan originators, who are not employees of the sponsoring person, to perform mortgage loan originator activities” provided certain criteria is met. Requirements include that (i) each sponsored person performs mortgage loan originator activities exclusively for the sponsoring person (as provided in a written agreement); (ii) the sponsoring person assumes responsibility for and reasonably supervises the activities of each sponsored mortgage loan originator; (iii) the sponsoring person maintains a bond that covers all sponsored mortgage loan originators; and (iv) each sponsored mortgage loan originator possesses a current, valid insurance producer license as required under state law. The emergency rules must meet the requirements of the Secure and Fair Enforcement for Mortgage Licensing Act of 2008, HUD and CFPB interpretations of that Act, as well as a subsequent amendment provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act.

    Licensing State Issues State Legislation Indiana Mortgages Mortgage Origination

  • Indiana enacts Money Transmission Modernization Act

    On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.

    With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.

    The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.

    Licensing State Issues State Legislation Indiana Money Service / Money Transmitters NMLS

  • Colorado establishes medical debt collection requirements

    State Issues

    On May 4, the Colorado governor signed SB 23-093 to cap the interest rate on medical debt at three percent per year. The Act outlines numerous provisions, including that entities collecting on a medical debt must provide a consumer with a written copy of a payment plan within seven days for medical debt that is payable in four or more installments. The Act also outlines requirements for accelerating or declaring a payment plan longer operative, and lays out prohibited actions (such as collecting on a debt or reporting a debt to a consumer reporting agency within a certain timeframe) relating to medical debt that an entity knows, or reasonably should know, is under review or being appealed. An entity that files a legal action to collect a medical debt must provide to a consumer (upon written request) an itemized statement concerning the debt and must allow a consumer to dispute the debt’s validity after receiving the statement. Entities are prohibited from engaging in collection activities until the itemized statement is delivered. The Act outlines self-pay requirements and estimates, and further provides that it is a deceptive trade practice to violate outlined provisions relating to billing practices, surprise billing, and balance billing laws. The Act takes effect immediately and applies to contracts entered into after the effective date.

    State Issues State Legislation Colorado Medical Debt Debt Collection Interest Rate Consumer Finance

  • Oklahoma ties maximum interest on loans to fed funds rate

    State Issues

    The Oklahoma governor recently signed SB 794, which increases the maximum loan finance charge for certain loans (i.e., supervised loans under applicable Oklahoma law) by additionally including the federal funds rate published by the Federal Reserve Board. Specifically, a loan finance charge may not exceed the equivalent of the greater of either of the following: the total of (i) 32 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which is $7,000 or less; (ii) 23 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which greater than $7,000 but less than $11,000; and (iii) 20 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which exceeds $11,000; or 25 percent plus the federal funds rate per year on the unpaid balances of the principal. The federal funds rate is defined as the rate published by the Fed that is “in effect as of the first day of each month immediately preceding the month during which the loan is consummated.” Supervised lenders may contract for and receive a loan finance charge not exceeding what is allowed by the Act. The Act is effective November 1.

    State Issues State Legislation Oklahoma Federal Reserve Finance Charge

  • Indiana becomes seventh state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.

    Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.

    While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.

    The Act takes effect January 1, 2026.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Indiana Consumer Protection COPPA

  • Washington State passes new health data privacy measures

    Privacy, Cyber Risk & Data Security

    On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.

    The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.

    Privacy, Cyber Risk & Data Security State Legislation State Issues Washington Consumer Protection Medical Data

Pages

Upcoming Events