InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Utah repeals some collection agency registration requirements
On March 17, the Utah governor signed HB 20 to repeal several of the state’s collection agency statutory provisions. Specifically, the bill repeals provisions that (i) require collection agencies to register with the Division of Corporations and Commercial Code and have on file sufficient bond in the amount of $10,000 (see Sections 12-1-1 and 12-1-2); (ii) stipulate bond terms and require certain records relating to registrations and bonds to be maintained with the Division and open to public inspection (see Sections 12-1-3, and 12-1-5); (iii) relate to violations and penalties and specify that “[a]ny person, member of a partnership, or officer of any association or corporation who fails to comply with any provision of this title is guilty of a class A misdemeanor (see Section 12-1-6); (iv) outline exceptions (see Section 12-1-7); (v) govern assignments of debts involving collection agencies and limit activities as to the assignments (see Section 12-1-8); (vi) specify that information about a consumer’s credit rating or credit worthiness sent to a consumer reporting agency is void if the collection agency does not have a bond on file (see Section 12-1-9); and (vii) require certain registration forms and application fees for collection agencies seeking approval to conduct business in Utah (see Section 12-1-10). Limitations and terms of collection fees and convenience fees imposed by creditors or third-party debt collection agencies will remain unchanged by the amendments (see Section 12-1-11). The changes take effect May 3.
Arkansas amends LO sponsorship licensing requirements
On March 21, Arkansas enacted HB 1439 to clarify the sponsorship process and amend licensing requirements under the state’s Fair Mortgage Lending Act. The amendments modify the definition of a “transitional loan officer license” to mean a license that is issued to an individual who is employed “and sponsored by” a licensed mortgage banker or mortgage broker. The term “sponsor” was also added and defined as a licensed mortgage broker or mortgage banker “that has assumed the responsibility for and agrees to supervise the actions of a loan officer or transitional loan officer.” HB 1439 also amends provisions relating to the termination of a loan officer’s license to provide that should the employment of a loan officer or a transitional loan officer be surrendered or canceled, a “sponsor shall terminate the sponsorship of the loan officer or transitional loan officer with the commissioner within thirty (30) days from the date that the loan officer or transitional loan officer ceased to be employed or ceased activities for the sponsor.” Sponsorship termination extinguishes any rights of a loan officer or a transitional loan officer to engage in mortgage loan activity. The license will be marked as “approved-inactive” until a licensed mortgage broker or mortgage banker files an application with the commissioner to sponsor the loan officer. The “approved-inactive” status may be changed to “approved” if a licensed mortgage broker or mortgage banker files an application for sponsorship, pays a $50 fee, and provides sponsorship notice to the commissioner. The amendments will take effect 90 days following the adjournment of the legislature.
Virginia amends remote work requirements for mortgage companies
On March 26, the Virginia governor signed HB 2389, which permits mortgage lenders and mortgage brokers to allow employees and exclusive agents to work remotely provided certain conditions are met. Requirements to conduct business out of a remote location include: (i) the establishment of written policies and procedures for remote work supervision; (ii) ensuring access to platforms and customer information adheres to the licensee’s comprehensive written information security plan; (iii) the employment of appropriate risk-based monitoring and oversight processes, as well as the agreement from employees or exclusive agents who will work remotely to comply with these established practices; (iv) banning in-person customer interaction at an employee’s or exclusive agent’s residence unless the residence is an approved office; (v) the proper maintenance of physical records; (vi) compliance with federal and state security requirements when engaging in customer interactions and conversations; (vii) access to the licensee’s secure systems via a virtual private network or comparable system with password protection; (viii) the installation and maintenance of security updates, patches, or other alterations; (ix) “the ability to remotely lock or erase company-related contents of any device or otherwise remotely limit access to a licensee’s secure systems"; and (x) the designation of the principal place of business as the mortgage loan originator’s registered location for the purposes of the Nationwide Mortgage Licensing System and Registry record, “unless such mortgage loan originator elects an office as a registered location.” The amendments also add definitions for “office” and “remote location.” The Act is effective July 1.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
Crypto lender to provide refunds to Californians
On March 27, the California Department of Financial Protection and Innovation (DFPI) announced that a New Jersey-based crypto lending platform has agreed to provide more than $100,000 in refunds to California residents. The refunds, subject to bankruptcy court approval, stem from the lender’s conduct following the collapse of a major crypto exchange last November. As previously covered by InfoBytes, in December, DFPI moved to revoke the lender’s California Financing Law license following an examination, which found that the lender “failed to perform adequate underwriting when making loans and failed to consider borrowers’ ability to repay these loans, in violation of California’s financing laws and regulations.” At the time the lender announced it was limiting platform activity and pausing client withdrawals. The lender eventually filed a petition for chapter 11 bankruptcy. An investigation also revealed that due to the lender’s failure to timely notify borrowers that they could stop repaying their loans, borrowers remitted at least $103,471 in loan repayments to the lender’s servicer while they were unable to withdraw funds and collateral from the platform. A hearing on the lender’s petition to direct its servicer to return borrowers’ loan repayments is scheduled for April 19.
The lender agreed to an interim suspension of its lending license while the bankruptcy and revocation actions are pending. It also agreed to a final order to discontinue unsafe or injurious practices, as well as a desist and refrain order. Among other things, the lender has agreed to continue to direct its agents to pause collection of repayments on loans belonging to California residents while its license is suspended (including turning off autopay), will continue to set interest rates to 0 percent, and continue to not levy any late fees associated with any payments or report any loans that became delinquent or defaulted on or after November 11, 2022, to credit reporting agencies while the bankruptcy and revocation actions are pending.
Kentucky modifies allowable charges on consumer loans
On March 29, Kentucky enacted SB 165 to amend Kentucky code to modify permitted loan charges for consumer loan companies. Specifically, licensees may make loans up to $15,000, excluding charges; however, the original principal amount determines how much a licensee may charge, contract for, and receive on a loan. For loans with an original principal amount under $5,000, a licensee may charge up to 3 percent per month on the original principal of the loan, as well as on any charges, including fees, costs, expenses, or other amounts authorized by the act on the loan contract. Licensees may charge 2.42 percent on loans between $5,000 and $10,000, and 2.25 percent on loans exceeding $10,000. Additionally, every loan payment may now “be applied to the face amount of the note until the loan contract is paid in full.” The amendments also stipulate that a licensee is not allowed to “induce or permit a person to become obligated to the licensee, directly or contingently, or both under any loan contract entered into within [10] days of the origination of another loan contract with the same person for the purpose or with the result of obtaining charges.” Moreover, should a licensee make a second or subsequent loan to a person outside of the 10-day period, “the licensee shall not be required to limit the loan charges to the aggregate amount of what the loans combined would dictate under this subtitle.” For borrowers that request loan funding in a manner other than a physical check, a licensee may charge a $3 funding fee per loan for distributing the proceeds in the manner requested by the borrower. The amendments are effective 90 days after adjournment of the legislature.
Iowa establishes refund requirements for voluntary debt cancellation coverage
On March 22, the Iowa governor signed HF 133 relating to refund payments made in connection with motor vehicle debt cancellation coverage. The act provides that if a creditor is a financial institution, as defined in the Iowa consumer credit code or the Gramm-Leach-Bliley Act, and purchases a retail installment contract with voluntary debt cancellation coverage, “the only obligation of the creditor upon prepayment in full shall be to notify the motor vehicle dealer within thirty days of the prepayment.” It is the motor vehicle dealer’s responsibility to promptly determine whether a consumer is eligible to receive a refund of any voluntary debt cancellation coverage. Any refunds must be issued directly to the consumer within 60 days of the dealer receiving notice of prepayment from the creditor. The act is effective July 1.