InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Maryland amends student financing company registration
On May 8, the Maryland governor signed HB 913 to amend certain provisions relating to student financing company registration and reporting requirements. Among other things, the Act defines the term “student financing company” to mean “an entity engaged in the business of securing, making, or extending student financing products, or any purchaser, assignee, or holder of student financing products.” Student financing companies seeking to provide services in the state will be required to register with the Commissioner of Financial Regulation beginning March 15, 2024. Additionally, the Act provides that a student financing company seeking to renew its registration on an annual basis may be required to pay a fee at the time of renewal. The Act also authorizes the Commissioner to adopt registration procedures for student financing companies, including the use of the Nationwide Multi-State Licensing System and Registry, and may impose certain fees for using the registry. Additionally, the Act makes several technical clarifying provisions to the reporting requirements for student financing companies to be filed with the Commissioner annually on or before March 15. Furthermore, on or before June 15, 2024 (and each June 15 thereafter), information reported by the student financing companies will be available on a publicly accessible website to be developed and maintained by the Commissioner. The Act is effective October 1.
Indiana amends mortgage loan originator licensing requirements
On May 4, the Indiana governor signed SB 452 to amend Indiana code governing financial institutions. Among other things, the Act amends a provision to require the Department of Financial Institutions to adopt emergency rules no later than June 30, 2024, to authorize certain licensees (or certain exempt persons aside from a person that has voluntarily registered with the Department) “to sponsor one (1) or more mortgage loan originators, who are not employees of the sponsoring person, to perform mortgage loan originator activities” provided certain criteria is met. Requirements include that (i) each sponsored person performs mortgage loan originator activities exclusively for the sponsoring person (as provided in a written agreement); (ii) the sponsoring person assumes responsibility for and reasonably supervises the activities of each sponsored mortgage loan originator; (iii) the sponsoring person maintains a bond that covers all sponsored mortgage loan originators; and (iv) each sponsored mortgage loan originator possesses a current, valid insurance producer license as required under state law. The emergency rules must meet the requirements of the Secure and Fair Enforcement for Mortgage Licensing Act of 2008, HUD and CFPB interpretations of that Act, as well as a subsequent amendment provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
Indiana enacts Money Transmission Modernization Act
On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.
With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.
The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.
Colorado establishes medical debt collection requirements
On May 4, the Colorado governor signed SB 23-093 to cap the interest rate on medical debt at three percent per year. The Act outlines numerous provisions, including that entities collecting on a medical debt must provide a consumer with a written copy of a payment plan within seven days for medical debt that is payable in four or more installments. The Act also outlines requirements for accelerating or declaring a payment plan longer operative, and lays out prohibited actions (such as collecting on a debt or reporting a debt to a consumer reporting agency within a certain timeframe) relating to medical debt that an entity knows, or reasonably should know, is under review or being appealed. An entity that files a legal action to collect a medical debt must provide to a consumer (upon written request) an itemized statement concerning the debt and must allow a consumer to dispute the debt’s validity after receiving the statement. Entities are prohibited from engaging in collection activities until the itemized statement is delivered. The Act outlines self-pay requirements and estimates, and further provides that it is a deceptive trade practice to violate outlined provisions relating to billing practices, surprise billing, and balance billing laws. The Act takes effect immediately and applies to contracts entered into after the effective date.
Oklahoma ties maximum interest on loans to fed funds rate
The Oklahoma governor recently signed SB 794, which increases the maximum loan finance charge for certain loans (i.e., supervised loans under applicable Oklahoma law) by additionally including the federal funds rate published by the Federal Reserve Board. Specifically, a loan finance charge may not exceed the equivalent of the greater of either of the following: the total of (i) 32 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which is $7,000 or less; (ii) 23 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which greater than $7,000 but less than $11,000; and (iii) 20 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which exceeds $11,000; or 25 percent plus the federal funds rate per year on the unpaid balances of the principal. The federal funds rate is defined as the rate published by the Fed that is “in effect as of the first day of each month immediately preceding the month during which the loan is consummated.” Supervised lenders may contract for and receive a loan finance charge not exceeding what is allowed by the Act. The Act is effective November 1.
Indiana becomes seventh state to enact comprehensive privacy legislation
On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.
Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.
The Act takes effect January 1, 2026.
Washington State passes new health data privacy measures
On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.
The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.
Washington enacts robocall measures
On April 20, the Washington governor signed HB 1051 to expand existing provisions regulating robocalls and telephone solicitations and prohibit abusive telephone communications that mislead or harm state residents. In doing so, the Act extends liability to “persons who provide substantial assistance or support in the origination and transmission of robocalls” that violate state law, and prohibits the initiation of unwanted calls to phone numbers listed on the National Do Not Call Registry pursuant to the Telemarketing Sales Rule. Among other things, practices that violate the Act’s provisions will be considered an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the state’s consumer protection act. Injured persons may bring a civil action in Washington superior court to prevent further violations and “shall recover actual damages or $1,000 per violation of this section, whichever is greater.” The Act is effective July 23.
Washington enacts credit repair regulation
On April 20, the Washington governor signed HB 1311 to enact provisions relating to credit repair services performed by a credit services organization. Among other things, the Act outlines new requirements, including that a credit services organization must provide consumers with a monthly statement that details the services performed, as well as “an accounting of any funds paid by a consumer and held or disbursed on the consumer’s behalf and copies of any letters sent by the credit services organization on the consumer’s behalf,” if applicable. Additionally, a credit services organization is prohibited from sending any communications to a consumer reporting agency, creditor, collection agency, or regulatory entity unless the consumer has provided prior written authorization. Credit services organizations must also comply with specified written communication requirements and provide disclosures addressing consumers’ rights to review their files. Modifications to certain provisions relating to notices of cancellation have also been made. The Act is effective July 23.
Kansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions. A covered entity will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements. Additionally, the state bank commissioner is granted the authority to adopt “all rules and regulations necessary to govern and administer the [Act’s] provisions.” The commissioner is also given an assortment of enforcement tools to administer the Act, including: conducting routine examinations; investigating a covered entity’s operations; issuing subpoenas; assessing fines and civil penalties not to exceed $5,000 per violation, as well as investigation and enforcement costs; censuring registered or licensed covered entities; entering into memorandums of understanding or consent orders; revoking, suspending, or refusing to renew the registration or license of covered entities; issuing cease-and-desist orders; filing for injunctions; or issuing emergency orders to prevent harm to consumers. The Act takes effect July 1.