InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois announces new consumer protections for digital assets, proposes new money transmitter licensing provisions
On February 21, the Illinois Department of Financial and Professional Regulation (IDFPR) announced several legislative initiatives to establish consumer protections for cryptocurrencies and other digital assets and provide regulatory oversight of the broader digital asset marketplace. The Fintech-Digital Asset Bill (see HB 3479) would create the Uniform Money Transmission Modernization Act and provide for the regulation of digital asset businesses and modernize regulations for money transmission in the state. Among other things, the Fintech-Digital Asset Bill would require digital asset exchanges and other digital asset businesses to obtain a license from IDFPR to operate in the state. The bill also establishes various requirements for businesses, including investment disclosures, customer asset safeguards, and customer service standards. Companies would also be required to implement cybersecurity measures, as well as procedures for addressing business continuity, fraud, and money laundering. Notably, the Fintech-Digital Asset Bill replaces and supersedes the Transmitters of Money Act (see 205 ILCS 657) with the Money Transmission Modernization Act, in order to harmonize the licensing, regulation, and supervision of money transmitters operating across state lines. Provisions also amend the Corporate Fiduciary Act to allow for the creation of trust companies for the special purpose of acting as a fiduciary to safeguard customers’ digital assets, the announcement noted.
The Consumer Financial Protection Bill (see HB 3483) would grant the IDFPR authority to enforce the Fintech-Digital Asset Bill and strengthen the department’s authority and resources for enforcing existing consumer financial protections. Modeled after the Dodd-Frank Act, the Consumer Financial Protection Bill empowers the IDFPR with the ability to target unfair, deceptive, and abusive acts and practices by unlicensed financial services providers. The bill creates the Consumer Financial Protection Law and the Financial Protection Fund, and establishes provisions related to supervision, registration requirements, consumer protection, cybersecurity, anti-fraud and anti-money laundering, enforcement, procedures, and rulemaking. The Consumer Financial Protection Bill also includes provisions concerning court orders, penalty of perjury, character and fitness of licensees, and consent orders and settlement agreements, and makes amendments to various application, license, and examination fees. The bill does so by amending the Collection Agency Act, Currency Exchange Act, Sales Finance Agency Act, Debt Management Service Act, Consumer Installment Loan Act, and Debt Settlement Consumer Protection Act.
Montana amends mortgage servicing laws
On February 16, the Montana governor signed HB 30, which amends certain provisions of the state’s mortgage laws. Among other things, the act outlines provisions related to financial condition requirements, model state regulatory prudential standards for nonbank mortgage servicers, risk assessments, and licensee reporting requirements. The act also permits remote work provided certain conditions are met, including that a licensee’s employees and independent contractors do not meet with the public in an unlicensed personal residence, business records are not stored at the remote locations, appropriate security measures are put in place to ensure the confidentiality of customer information, and the NMLS record reflects the designation of a properly licensed location as the mortgage loan originator’s official workstation. In addition, the act amends provisions related to the denial of a licensee’s application or renewal, and updates designated manager and branch office licensing requirements to account for the remote location allowance. The act further provides the Department of Administration (acting through the Division of Banking and Financial Institutions) with rulemaking authority for addressing the revocation or suspension of licenses for cause, investigations into alleged violations, and fees, among other things. Additional amendments address the sharing of confidential supervisory information with state and federal financial regulators. Exempt from the act’s requirements are not-for-profit servicers and housing financing agencies, while servicers solely involved in reverse mortgage servicing are exempt from certain portions of the act. Similarly, servicers with 25 or fewer loans, or servicers wholly owned and controlled by one or more state- or federally-regulated depository institutions are also exempt from certain portions of the act. A servicer that is also licensed as an escrow business may apply to waive or adjust certain financial condition requirements. The act is effective July 1.
DFPI launches crypto scam tracker
On February 16, the California Department of Financial Protection and Innovation (DFPI) launched a database to help consumers in the state spot and avoid crypto scams. The Crypto Scam Tracker compiles details about apparent crypto scams identified through a review of public complaints submitted to the DFPI, and is searchable by company name, scam type, or keywords. “Through the new Crypto Scam Tracker, combined with rigorous enforcement efforts, the DFPI is committed to shining a light on these ruthless predators and protecting consumers and investors,” DFPI Commissioner Clothilde Hewlett said in the announcement.
NYDFS adds enhancements for detecting virtual currency fraud
On February 21, NYDFS Superintendent Adrienne A. Harris announced enhancements to the Department’s ability to detect fraud in the virtual currency industry. The new enhancements will improve NYDFS’s ability to combat financial crime and detect illegal activity among state-regulated entities engaged in virtual currency activity through new insider trading and market manipulation risk monitoring tools. Specifically, the enhancements will strengthen NYDFS’s virtual currency supervision and aid the Department in detecting potential insider trading, market manipulation, and front-running activity associated with regulated entities’ and applicants’ exposure or potential exposure to listed virtual currency wallet addresses. The announcement builds upon recently issued guidance related to the use of blockchain analytics tools, the issuance of U.S. dollar-backed stablecoins, and custodial guidance on crypto insolvency, as well as guidance for addressing measures for preventing market manipulation. (Covered by InfoBytes here, here, here, and here.)
Illinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a proposed class action alleging a defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting her biometric data and disclosing the data to a third-party vendor without first obtaining her consent. According to the plaintiff, the defendant introduced a biometric-collection system that required employees to scan their fingerprints in order to access pay stubs and computers shortly after she began her employment in 2004. Under BIPA (which became effective in 2008), section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining “a person’s biometric data without first providing notice to and receiving consent from the person,” whereas Section 15(d) provides that private entities “may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” While the plaintiff asserted that the defendant did not seek her consent until 2018, the defendant argued, among other things, that the action was untimely because the plaintiff’s claim accrued the first time defendant obtained her biometric data. In this case, defendant argued that plaintiff’s claim accrued in 2008 after BIPA’s effective date. Plaintiff challenged that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.” The U.S. District Court for the Northern District of Illinois agreed with the plaintiff but certified its order for immediate interlocutory appeal after “finding that its decision involved a controlling question of law on which there is substantial ground for disagreement.”
The U.S. Court of Appeals for the Seventh Circuit ultimately found that the parties’ competing interpretations of claim accrual were reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The question certified to the high court asked whether “section 15(b) and (d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]”
The majority held that the plain language of the statute supports the plaintiff’s interpretation. “With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub,” the high court said. The majority rejected the defendant’s argument that a BIPA claim is limited to the initial scan or transmission of biometric information since that is when the individual loses the right to control their biometric information “[b]ecause a person cannot keep information secret from another entity that already has it.” This interpretation, the majority wrote, wrongfully assumes that BIPA limits claims under section 15 to the first time a party’s biometric identifier or biometric information is scanned or transmitted. The Illinois Supreme Court further held that “[a]s the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’” However, the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” adding that because “we continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature, . . . [w]e respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
The dissenting judges countered that “[i]mposing punitive, crippling liability on businesses could not have been a goal of [BIPA], nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” “Indeed, the statute’s provision of liquidated damages of between $1000 and $5000 is itself evidence that the legislature did not intend to impose ruinous liability on businesses,” the dissenting judges wrote, cautioning that plaintiffs may be incentivized to delay bringing claims for as long as possible in an effort to increase actionable violations. Under BIPA, individuals have five years to assert violations of section 15—the statute of limitations recently established by a ruling issued by the Illinois Supreme Court earlier this month (covered by InfoBytes here).
Massachusetts AG reaches $6.5M settlement over deceptive auto-renewal and collection practices
The Massachusetts attorney general recently reached a $6.5 million settlement with a home security services company, its sister companies, and its CEO to resolve allegations that the defendants violated Massachusetts consumer protection laws by trapping customers in auto renewal contracts and engaging in illegal debt collection practices. The final judgment by consent, filed in Suffolk County Superior Court, resolves a 2019 lawsuit alleging the defendants engaged in unfair and deceptive tactics to prevent customers from canceling their contracts, charged for services during system outages or for services that were never provided, steered customers into contract renewal instead of cancellation, and engaged in aggressive and illegal debt collection practices. Under the terms of the settlement, the defendants are required to pay $1.8 million and waive and forgive $4.7 million of outstanding customer debt. Although they denied the allegations, the defendants have agreed to implement changes to their business practices, including taking measures to come into compliance with the attorney general’s debt collection regulations, offering credits to customers who purchased non-functional systems that cannot be repaired, implementing new complaint procedures, and permitting existing customers to cancel their contracts by telephone, email, and web portal. Additionally, the defendants will make several revisions to the terms of their contracts relating to auto-renewal practices, monitoring charges, cancellation policies and procedures, late fees and other costs.
Colorado releases privacy act updates
Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).
The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:
- Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
- Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
- Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
- Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
- Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
- Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
- Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
- User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”
Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.
On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register.
California Dept. of Real Estate reminds licensees of fiduciary duty requirements
The California Department of Real Estate (DRE) recently reminded real estate licensees with a mortgage loan origination (MLO) endorsement of their fiduciary duty to borrowers. DRE licensees (including brokers, salespersons, and broker-associates supervised by a broker) who provide mortgage brokerage services to a borrower act as a fiduciary of that borrower, the DRE said, explaining that this “includes placing the economic interest of the borrower ahead of their own.” The Bulletin noted that California courts have held that the fiduciary relationship not only requires the broker to act in the highest good faith toward their client but also prohibits the broker from obtaining any advantage over the client by virtue of the fiduciary relationship. Licensees who violate their fiduciary duties may face DRE-disciplinary action against their real estate license and/or MLO endorsement and may also expose themselves to civil liability.
Licensees are reminded that they are required to be aware of all laws, regulations, and rules governing their activities, including the federal Loan Originator Compensation (LO Comp) Rule, which “prohibits loan originators, including brokers, from receiving compensation based on the terms of consumer mortgage transactions.” Prior to the LO Comp Rule, mortgage brokers often received commissions that varied based on the terms of the mortgage loans they obtained for their clients, and in many cases received larger commissions on loans carrying less advantageous terms (e.g., loans with a higher interest rate would result in a larger commission than the same loan with a lower interest rate). The LO Comp Rule now prohibits this practice.
The Bulletin also reminded licensees that receiving greater compensation for acting against the economic interests of a consumer would also violate a broker’s fiduciary responsibility to place the economic interest of their client ahead of their own, should the decision be motivated by a financial desire to increase compensation. Further, licensees may not steer or direct a borrower to close a loan with a particular lender in exchange for receiving a higher commission unless the transaction is the best loan for the borrower. Licensees must also disclose to a borrower the costs and expenses associated with the loan, and disclose all compensation received in the transaction. Taking any secret or undisclosed compensation, commission, or profit is also prohibited, the Bulletin said.
NYC Banking Commission to combat lending and employment discrimination
On February 10, the New York City Banking Commission, which consists of the city’s mayor, the comptroller, and the Commissioner of the Department of Finance, announced two transparency measures to combat lending and employment discrimination by designated banks. Designated banks are those eligible to hold NYC deposits and are expected to provide approved banking products and services for city entities. The announcement states that beginning with this year’s biennial designation cycle, a public comment process will now be included prior to and during the Banking Commission’s public hearing to designate banks that will be eligible to hold deposits of city funds. Revisions have also been made to the certifications that banks are required to submit ahead of designation in order “to reinforce the obligation for depository banks to provide detailed plans and specific steps to combat different forms of discrimination in their operations.” NYC Mayor Eric Adams added “[t]hese new steps will ensure the Banking Commission is designating only those banks that have shown that they can protect taxpayer money and that are committed to promoting equity in all aspects of their operations.”
CSBS says state regulators need access to FinCEN’s beneficial ownership database
On February 14, the Conference of State Bank Supervisors commented that FinCEN should be more explicit in its inclusion of state regulators as agencies that can request access to FinCEN’s forthcoming secure, non-public beneficial ownership information database. (See comment letter here.) As previously covered by InfoBytes, last December FinCEN issued a notice of proposed rulemaking (NPRM) to implement provisions of the Corporate Transparency Act (CTA) that govern the access to and protection of beneficial ownership information (BOI). The NPRM proposed regulations for establishing who may request beneficial ownership information, how the information must be secured, and non-compliance penalties, and also addressed aspects of the database that are currently in development. Agreeing that the new database would help enhance anti-money laundering and countering the financing of terrorism standards and help prevent the use of privacy to hide illicit activity from law enforcement and government authorities, CSBS asked that the final rule “explicitly define state regulators so that there is no confusion about their ability to access BOI when examining state-chartered banks and non-depository trust companies for compliance with customer due diligence requirements under the Bank Secrecy Act (BSA).” According to CSBS, state regulators conducted over 1,200 BSA exams in 2021. CSBS further pointed out that being able request BOI on an as needed basis would aid investigative and enforcement responsibilities for both state-chartered banks and state-licensed nonbank financial services providers.