Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours

    Agency Rule-Making & Guidance

    On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.

    Agency Rule-Making & Guidance Ginnie Mae Mortgage-Backed Securities Cyber Risk & Data Security Disclosures

  • DFPI fines online platform for omitting convenience fee disclosures

    State Issues

    On January 9, DFPI issued a consent order against an online platform (respondent) that enables merchants to provide installment contracts to customers. The consent order resolved alleged violations of the California Consumer Financial Protection Law (CCFPL) arising from the convenience fees assessed by a third-party service provider when consumers opt to pay their installments online or by phone. According to the consent order, since 2021 respondent guaranteed that consumers entering into contracts on its platform had a fee-free payment method. However, for a time respondent failed to disclose potential optional convenience fees in the initial contract. Although the third-party servicer disclosed the convenience fees to consumers, DFPI took issue with the respondent’s failure to disclose these fees before transferring consumers to the third-party servicer to enter into the contracts. In other words, consumers only became aware of both the existence and amounts of these fees after entering into contractual obligations. DFPI accused respondent of deceiving consumers by failing to disclose this information first.

    Under the terms of the consent order, respondent must pay a $50,000 penalty and must disclose information about the potential convenience fees that may be assessed by a servicer.

    State Issues California DFPI CCFPL Enforcement Disclosures Third-Party Consumer Finance

  • District Court dismisses FDCPA suit; clarifies debt collector communication on identity theft

    Courts

    On December 5, the U.S. District Court of New Jersey dismissed an FDCPA suit brought against a debt collector. According to the opinion, plaintiff originally filed suit because they received a letter from defendant regarding an outstanding cell phone bill. The letter provided instructions on what to do if the recipient suspected identity theft. Additionally, the letter contained a summary of plaintiff’s account and a QR code that linked to defendant’s website for online payment. Plaintiff contended that the dual approach of offering assistance while simultaneously pursuing collection of a debt was false and misleading. A District Court judge, however, disagreed and dismissed the case, at which point the plaintiff filed an amended complaint.

    The amended complaint alleges that the debt collector breached the FDCPA by using false, deceptive or misleading representations regarding the rights of the plaintiff and the obligations of the debt collector with respect to communications concerning identity theft. Specifically, plaintiff argued defendant was in violation of § 1681m(g) of the FDCPA, which obligates a debt collector to take certain steps upon being notified of identity theft, but the court disagreed, finding that the collector’s specific steps taken were in accordance with the Act.

    The court emphasized that plaintiff did not introduce any new factual claims in the amended complaint, and merely clarified how the facts already outlined in the initial complaint breached the FDCPA. The judge ruled that the letter not only allows plaintiff to inform defendant about potential identity theft, but also may serve to bring potential identity theft to plaintiff’s attention. The ruling stated that there is no obligation to extensively explain recommended procedures in the case of an identity theft occurrence, and only an “idiosyncratic reading” of the letter would lead to the conclusion that the letter misrepresents defendant’s obligations.

    Courts Debt Collection FDCPA New Jersey Identity Theft Disclosures

  • CFPB orders bank to pay $6.2 million; alleges overdraft fees violate CFPA, EFTA

    Federal Issues

    On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act. 

    The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.  

    The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order. 

    Federal Issues CFPB CFPA Regulation E Overdraft Disclosures Opt-In Enforcement

  • District Court grants MSJ for debt collector in FDCPA case

    Courts

    On November 29, the U.S. District Court for the Eastern District of New York granted summary judgment in favor of a debt collector (defendant) under the FDCPA, holding that the defendant’s collection letter was not misleading.

    According to the court’s order, the plaintiff and the defendant established a payment agreement over the phone, during which the representative mentioned to the plaintiff that the interest rate on the loan would be lowered to 5.99 percent, and that failure to make any of the 11 monthly payments could render the agreement void. Shortly after, the plaintiff received a letter from the defendant that conveyed essentially the same information. The defendant also provided the plaintiff with billing statements, including a statement indicating $11.14 in accumulated interest during the initial month in the payment plan. Additionally, the defendant sent the plaintiff a collection letter that outlined the monthly payment and total balance due. The collection letter contained a warning that interest, late charges, and other charges that may vary from day to day could result in a greater balance than the amount plaintiff owed as of the date of the letter. The plaintiff argued that the warning was contradictory to the concept of “fixed” payment plan, and thus was deceptive and misleading in violation of Section 1692e.  

    The court noted that it had previously dismissed an FDCPA case against the same defendant using similar language in the context of a debt settlement. In that case, the defendant provided both a disclaimer and the settlement offer, and the court held that including both in the same communication “does not automatically render the letter misleading ... [d]efendant accurately and unambiguously conveyed the agreed-upon monthly payment, total balance, and APR.” The court also reasoned that holding debt collectors liable for violating the FDCPA in such instances might discourage them from proposing debt settlement plans to consumers. 

    Courts FDCPA Disclosures New York Debt Collection

  • California enacts licensing requirements for digital asset businesses, regulation of crypto kiosks

    On October 13, the California Governor signed AB 39, which will create a licensing requirement for businesses engaging in digital financial asset business activity. Crypto businesses will need to apply for a license with California’s Department of Financial Protection and Innovation (DFPI). The bill, among other things, (i) empowers DFPI to conduct examinations of a licensee; (ii) defines “digital financial asset” as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified”; (iii) empowers DFPI to conduct enforcement actions against a licensee or a non-licensed individual who engages in crypto business with, or on behalf of, a California resident for up to five years after their activity; (iv) allows DFPI to assess civil money penalties of up to $20,000 for each day a licensee is in material violation of the law, and up to $100,000 for each day an unlicensed person is in violation; and (v) requires licensees to provide certain disclosures to California clientele, such as when and how users may receive fees and charges, and how they are calculated. The new law exempts most government entities, certain financial institutions, most people who solely provide connectivity software, computing power, data storage or security services, and people engaging with digital assets for personal, family, household or academic use or whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year. In September of last year, the California Governor vetoed a similar bill because creating a licensing framework was “premature” considering conflicting efforts.

    Also effective on July 1, 2025 is SB 401, which was also enacted on October 13. SB 401 establishes regulations for crypto kiosks under the DFPI’s authority. It will, among other things, prohibit kiosk operators from accepting or dispensing more than $1,000 in a single day to or form a customer via a kiosk. Operators would be required to furnish written disclosures detailing the transaction's terms and conditions as well as transaction details. Kiosk operators will also be obligated to provide customers with a receipt for any transaction at their kiosk, including both the amount of a digital financial asset or USD involved in a transaction and, in USD, any fees, expenses, and charges collected by the kiosk operator. Finally, operators will be required to provide DFPI with a list of all its crypto kiosks in California, and such list will be made public.

    Licensing State Issues California DFPI State Legislation Cryptocurrency Digital Assets Disclosures

  • California enacts law to extend commercial financing cost disclosure requirement

    State Issues

    On October 7, the California governor signed SB 33 to, among other things, continue to require covered providers offering commercial loans to disclose the total cost of financing expressed as an annualized rate indefinitely. Existing law currently required this disclosure only until January 1, 2024.

    SB 33 is effective January 1, 2024.

    State Issues California State Legislation Commercial Finance Disclosures Consumer Finance

  • FTC roundtable on generative AI and the creative economy

    Federal Issues

    On October 4, the FTC hosted a virtual roundtable to hear directly from creators on how generative artificial intelligence (AI) is affecting their work and livelihood. FTC Chair Lina Khan noted the Commission’s role enforcing rules of fair competition and its intention to “keep pace” to fully understand how new technology can be used and the negative impacts. Khan reminded the audience that there is no “AI exemption” to the laws regarding unfair methods of competition or collusion, discrimination, or deception. In addition, Commissioner Kelly Slaughter mentioned that the generative AI dynamic of web scraping is often performed without the knowledge of creators whose livelihood depends on displaying a public portfolio.

    Duncan Crabtree-Ireland, chief negotiator for SAG AFTRA, stated that the companies using AI technology must receive informed consent and compensation for the use of individuals’ likenesses. John August, committee member for the Writers Guild of America, explained the union’s position that AI generated content can be considered an unfair method of competition, and that creators deserve protection against the unfair use of their work. Douglas Preston, author and former president of the Writers Guild of America, shared that he is part of a class action lawsuit with 16 other authors against a generative AI platform.

    Overall, participants asked the FTC to initiate rulemaking, and support in federal legislation as necessary to underpin the protection of creators’ livelihood, as technology is outpacing law and regulation. They suggested that moving forward, platforms should request creators to opt-in, rather than opt-out of the use of their works to teach and support generative AI output. Moreover, participants repeatedly mentioned a need for disclosures for consumers, so they know when synthetic AI-generated voices, among other things, are used in content generated for consumers.

    Federal Issues FTC Artificial Intelligence Disclosures Consumer Protection

  • SEC charges fintech investment adviser for misleading advertising

    Securities

    On August 21, the SEC announced charges against a New York-based fintech investment adviser for using hypothetical performance metrics in misleading advertisements, compliance failures that led to misleading disclosures, and failure to adopt policies concerning crypto asset trading by employees, among other things. These charges mark the first violation of the SEC’s amended marketing rule.

    According to the order, the fintech investment adviser made misleading statements on its website by failing to include material information, and without having adopted and implemented required policies and procedures under the SEC’s marketing rule. The SEC also found that the company made conflicting disclosures regarding crypto assets custody and failed to adopt policies related to employee personal trading in crypto assets. 

    The company consented to the order finding that it violated the Advisers Act and without admitting or denying the SEC’s findings, entered into a cease-and-desist order, a censure, and agreed to pay $192,454 in disgorgement, prejudgment interest and an $850,000 civil penalty that will be distributed to affected clients.

    Securities Fintech Enforcement SEC Disclosures Cryptocurrency Cease and Desist

  • Connecticut joins states enacting commercial financing disclosures and lender and broker registration requirements

    State Issues

    On June 28, Connecticut became the latest state to require certain providers of sales-based commercial financing to provide disclosures to borrowers and that such providers and brokers register with the state. SB 1032 (the “Act”) defines “commercial financing” as any extension of sales-based financing by a provider in amounts of $250,000 or less, which the recipient does not intend to use primarily for personal, family, or household purposes. A “provider” is defined by the Act as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” “Sales-based financing” means a transaction that is repaid by the recipient to the provider over time (i) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the volume of sales made or revenue received by the recipient, or (ii) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue. The Act establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions.

    Under the Act, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the Act. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The Act also discusses conditions and criteria when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted. Providers may rely on a statement of intended purpose made by the “recipient” (defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider”) to determine whether the financing is commercial financing.

    Further, the Act provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Notably, there is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner, in addition to adhering to the prescribed disclosure requirements, no later than October 1, 2024.

    Finally, the banking commissioner is authorized to adopt regulations to carry out the Act’s provisions. Providers who violate the Act’s provisions, or any adopted regulations, will be subject to civil penalties. The commissioner may also seek injunctive relief against providers who knowingly violate any of the provisions.

    The Act takes effect July 1, 2024.

    State Issues State Legislation Connecticut Commercial Finance Disclosures Broker

Pages

Upcoming Events