InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
NYDFS calls its virtual currency framework the “gold standard”
On May 25, NYDFS Superintendent Adrienne Harris testified before the New York assembly to address the regulation of virtual currency in the state. Harris highlighted the value and “gold standard” set by NYDFS’s virtual currency regulatory framework. She detailed how novel risks in that landscape were met with subsequential growth of the virtual currency unit since her arrival, including the addition of 50 professionals and a range of seasoned experts to streamline enforcement investigations.
In her testimony, Harris also voiced how the framework responsibly supports innovation for entities engaging primarily in virtual currency activities, leveraging their licensing (BitLicense) and chartering (the limited purpose trust company charter) regimes, whereas other states license virtual currency entities only as money transmitters. Adding on, she specified how NYDFS’s customized approach continues after approval, specifically, “NYDFS creates a detailed supervisory agreement that is tailored to the specific risks presented by the company’s business model. Licensed and chartered entities also are subject to ongoing supervision and are regularly examined for compliance with broadly applicable virtual currency regulations and other rules, as well as with their supervisory agreements.” The development of these tools, among other safeguards, is demonstrative of NYDFS’ focus on addressing the inherently high-risk nature of virtual currency business activity with respect to illicit transactions, she noted.
Harris further clarified that secure, customized regulatory requirements, as outlined in the framework, coupled with transparency, ushers in more business for the state, especially in the case of crypto startups. Further, other regulators, jurisdictions, and economic development agencies are seeking to replicate the framework, Harris commented, as consumer protection is not only achieved as outlined in the law, but by regulators that are able to move at a faster pace than the former.
New York reaches settlement with medical management company over patient data
On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s investigation, the company implemented a new version of its software in January 2019, but allegedly failed to conduct a series of security tests and scans that could have identified any security problems. Further, the private information maintained by the company was not encrypted. Notably, information for 13 consumers was apparently discovered on the dark web days after the hack. The investigation concluded that the company, amongst the 28 areas where they failed to maintain reasonable data security practices to protect patients’ private and health information, allegedly failed to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers. Under the terms of the assurance of discontinuance, the company, while neither admitting or denying the allegations, agreed to pay $550,000 in penalties, and will improve its data security practices and offer affected customers free credit monitoring services.
Texas amends breach notification requirements
On May 27, the Texas governor signed SB 768 to amend the state’s data breach notification statutes. The Act requires entities to notify the attorney general “as soon as practicable” and not later than 30 days after the date a computerized security system breach occurs involving at least 250 Texas residents. The Act now details that notification must be submitted electronically using a form accessible through the attorney general’s website. No substantive changes were made to the required information within the form. The Act is effective September 1.
Minnesota enacts small-dollar consumer lending and money transmitter amendments; Georgia and Nevada also enact money transmission provisions
On May 24, the Minnesota governor signed SF 2744 to amend several state statutes relating to financial institutions, including provisions concerning small-dollar, short-term consumer lending, payday lending, and money transmitter requirements. Changes to the statutes governing consumer small loans and consumer short-term loans amend the definition of “annual percentage rate” (APR) to include “all interest, finance charges, and fees,” as well as the definition of a “consumer short-term loan” to mean a loan with a principal amount or an advance on a credit limit of $1,300 (previously $1,000). The amendments outline certain prohibited actions and also cap the permissible APR on a loan at no more than 50 percent and stipulate that lenders are not permitted to add other charges or payments in connection with these loans. The changes apply to loans originated on or after January 1, 2024. The amendments also make several modifications to provisions relating to payday loans with APRs exceeding 36 percent, including requirements for conducting an ability to repay analysis. These provisions are effective January 1, 2024.
Several new provisions relating to the regulation and licensing of money transmitters are also outlined within the amendments. New definitions and exemptions are provided, as well implementation instructions that provide the state commissioner authority to “enter into agreements or relationships with other government officials or federal and state regulatory agencies and regulatory associations in order to (i) improve efficiencies and reduce regulatory burden by standardizing methods or procedures, and (ii) share resources, records, or related information obtained under this chapter.” The commissioner may also accept licensing, examination, or investigation reports, as well as audit reports, made by other state or federal government agencies. To efficiently minimize regulatory burden, the commissioner is authorized to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors (CSBS), the Money Transmitter Regulators Association, and others, for all licensees that hold licenses in the state of Minnesota and other states. Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The commissioner may also participate in joint examinations or investigations with other states.
With respect to the licensing provisions, the amendments state that a “person is prohibited from engaging in the business of money transmission, or advertising, soliciting, or representing that the person provides money transmission, unless the person is licensed under this chapter” or is a licensee’s authorized delegate or exempt. Licenses are not transferable or assignable. The commissioner may establish relationships or contracts with the Nationwide Multi-State Licensing System and Registry and participate in nationwide protocols for licensing cooperation and coordination among state regulators if the protocols are consistent with the outlined provisions. The amendments also outline numerous licensing application and renewal procedures including net worth and surety bond, as well as permissible investment requirements.
The same day, the Nevada governor signed AB 21 to revise certain provisions relating to the licensing and regulation of money transmitters in the state. The amendments generally revise and repeal various statutory provisions to establish a process for governing persons engaged in the business of money transmission that is modeled after the Model Money Transmission Modernization Act approved by the CSBS. Like Minnesota, the commissioner may participate in multistate supervisory processes and information sharing with other state and federal regulators. The commissioner also has expanded examination and enforcement authority over licensees. The Act is effective July 1.
Additionally, the Georgia governor signed HB 55 earlier in May to amend provisions relating to the licensing of money transmitters (and to merge provisions related to licensing of sellers of payment instruments). The Act addresses licensee requirements and prohibited activities, outlines exemptions, and provides that applications pending as of July 1, “for a seller of payment instruments license shall be deemed to be an application for a money transmitter license as of that date.” Notably, should a license be suspended, revoked, surrendered, or expired, the licensee must, “within five business days, provide documentation to the department demonstrating that the licensee has notified all applicable authorized agents whose names are on record with the department of the suspension, revocation, surrender, or expiration of the license.” The Act is also effective July 1.
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.
Fintech fined over interest charges billed as tips and donations
A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.
The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.
A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.
In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.
Arizona amends licensing provisions
On May 19, the Arizona governor signed HB 2010 to amend certain sections of the Arizona revised statutes relating to the Department of Insurance and Financial Institutions. Amendments make changes to several licensing provisions, including the length of time a license remains active and licensure renewal requirements. The Act provides that on or before June 30 of each year, a licensee may renew each license without investigation by paying prescribed fees. Other revisions amend accounting practices and record retention requirements for mortgage brokers, mortgage bankers, and commercial mortgage bankers, among others. HB 2010 is effective 90 days after enactment.
DFPI examines whether some payment services are exempt from MTA
The California Department of Financial Protection and Innovation (DFPI) recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) relating to whether certain payment services are exempt or subject to licensure. The redacted opinion letter examines three payment services provided by the inquiring company. DFPI first analyzed and determined that payments received by a law firm collection agent from a different entity’s collection attorneys and remitted to said entity are exempt pursuant to MTA Financial Code section 2011. DFPI next considered whether the MTA’s agent of payee exemption applies to certain tax payment transactions wherein a customer’s payment obligation to the company is extinguished once the customer has submitted a payment through a particular contractor. According to DFPI, transactions conducted pursuant to a contract between the company and the contractor (appointed as a limited agent for the sole purpose of receiving payments on the company’s behalf from taxpayers) are exempt from the MTA under the agent of payee exemption. Finally, DFPI considered whether the agent of payee exemption applies to certain payments to government entities. DFPI explained, among other things, that the language contained within the contracts with each government entity “establishes that the government entity has appointed [the company] to act as its agent and that payment to [the company] extinguishes the payor’s payment obligation to the government entity.” As such, DFPI determined that “transactions conducted pursuant to contracts containing such language are exempt from the MTA under the agent of payee exemption.”
Iowa modernizes money transmission provisions
The Iowa governor recently signed HF 675 to revise certain provisions of the Uniform Money Transmission Modernization Act. The Act is designed to eliminate unnecessary regulatory burden and harmonize the licensing and regulation of money transmitters with other states. Among other things, the Act defines terms for when a state money services business (MSB) license is required and adds a process for joint multistate examination and supervision of MSB licensees. The Act also outlines several exemptions, including federally insured depository institutions and certain persons appointed as an agent of a payee who collect and process payments from a payor to the payee for goods or services (other than money transmission itself).
With respect to licensing provisions, the Act states that a person shall not engage in the business of money transmission unless they are licensed. New provisions modify the licensing process, including by requiring that applications be approved 121 days after completion, unless denied or approved earlier by the superintendent. The license will take effect the first business day after expiration of the 120-day period (although the superintendent may for good cause extend the application period). The Act also outlines licensing application renewal procedures, requirements for maintaining licensure, processes for person(s) seeking to acquire control of a licensee or seeking to change key individuals, authorized delegate provisions, net worth and surety bond criteria, permissible investments, and reporting and financial condition requirements, among other criteria. The Act further specifies that a person who engages in the business of money transmission on behalf of a person not licensed under the chapter “provides money transmission to the same extent as if the person were a licensee, and shall be jointly and severally liable with the unlicensed or nonexempt person.” The Act takes effect July 1.