Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Texas resolves securities fraud case with decentralized finance lending platform

    State Issues

    Recently, a decentralized finance crypto lending platform and its owners (respondents) entered into a settlement agreement with a Texas regulatory agency, resolving an emergency cease-and-desist action brought in June 2023. The Texas State Securities Board alleged that respondents committed securities fraud in connection with the offers and sales of investments, falsely denied the platform’s impending bankruptcy, and “secretly” transferred customer funds to a crypto exchange, as well as offered unregistered securities. Under the terms of the settlement, respondents have agreed to, among other things, (i) inform clients of its plan for asset return within seven days of the settlement and provide a seven-day window for clients to withdraw assets through the app; (ii) continue to provide customer support to prior customers; (iii) pay an administrative fine; and (iv) cease-and-desist from selling unregistered securities in the state without admitting or denying the allegations. Texas also agreed to dismiss its emergency cease-and-desist order as part of the settlement.  

    State Issues Texas Enforcement Cryptocurrency Lending

  • CFPB, DOJ sue developer over predatory lending

    Federal Issues

    On December 20, the CFPB and the DOJ issued a press release announcing the filing of a complaint against four affiliated Texas-based entities (collectively, the “developer”) alleging bait-and-switch land sales and predatory financing. The agencies claim the developer violated ECOA and FHA by targeting thousands of Spanish-speaking borrowers with predatory seller financing. The complaint also alleges the developer misrepresented or omitted material information regarding the seller-financed flood-prone lots having “the infrastructure necessary to connect water, sewer, and electrical services pre-installed,” and regarding flood risk. The complaint also claims that the developer did not provide purchasers with a property report before the purchaser entered into the subject agreement. Further, according to the complaint, the developer marketed the lots primarily in Spanish, but required borrowers to sign important transactional documents written in English only. The action also includes claims brought under other laws and regulations. Notably, this is the first federal court lawsuit the CFPB has brought under the Interstate Land Sales Full Disclosure Act of 1968 (ILSA).

    Federal Issues DOJ CFPB Consumer Finance Consumer Protection Texas Enforcement

  • Senate passes resolution seeking to nullify CFPB’s small business lending rule

    Federal Issues

    Recently, the U.S. Senate passed a joint resolution of disapproval (S.J. Res. 32) under the Congressional Review Act to nullify the CFPB’s small business lending rule. As previously covered on InfoBytes, the rule, which requires financial institutions to collect and report to the CFPB credit application data for small businesses, has faced opposition from various politicians and is the subject of litigation brought by financial institutions that would be subject to the rule in the U.S. District Court of the Southern District of Texas. In support of the joint resolution, Sen. John Kennedy (R-LA), who introduced the legislation, recently argued on the floor that “the CFPB is setting these small business people… up for lawsuits” because “[it] has promulgated a rule that totally perverts our intention in section 1071.”  If the House of Representatives similarly passes the joint resolution, and President Biden signs it, the CFPB’s rule will be nullified under the Congressional Review Act.

    The joint resolution follows the order from the U.S. District Court for the Southern District of Texas granting a nationwide preliminary injunction enjoining the CFPB from enforcing the rule (covered by InfoBytes here and here).

    Federal Issues CFPB Section 1071 Congress Peer-to-Peer Small Business Lending Texas

  • District Court grants 1071 Rule nationwide stay

    Courts

    On October 26, the U.S. District Court of the Southern District of Texas entered an order granting intervenors’ motions for preliminary injunction against the CFPB and its small business loan rule.

    As previously covered by InfoBytes, the district court entered an order in August enjoining enforcement of the rule pending the Supreme Court’s decision in Consumer Financial Protection Bureau v. Community Fin. Serv. of Am. and extending the rule’s compliance date to account for the tine the stay remained in place. The court, however, limited that relief to the plaintiffs at that time—a bank and two bank trade associations—and their members. In the wake of this ruling, separate trade associations representing small business lenders asked the CFPB to take administrative action to ensure that the compliance date for other lenders would be adjusted commensurately. The CFPB declined their request.

    In response, separate groups of intervenor plaintiffs, including trade associations representing other types of small business lenders, intervened in the action and filed motions seeking to expand the scope of the preliminary injunction to all affected lenders (or at least their members), claiming the court’s decision to spare some from the rule put them at a competitive disadvantage.  The CFPB opposed those motions (covered by InfoBytes here).

    In its most recent order, the court reasoned that the preliminary injunction should extend to intervenors because the CFPB lacked evidence supporting its argument that that greater harm would result from a stay on its 1071 rule and “its intended benefits for small businesses failed to tip the balance in their favor.” The court reasoned that the purpose of the statute underlying the Bureau’s final rule is the equal application of lending laws to all credit applications to avoid disparate outcomes, presuming uniform application to covered financial institutions. Therefore, to exempt plaintiffs and not all other covered financial institutions would undermine the statute, leaving “non-exempted lenders subject to the discretion of an agency whose very ability to act is a matter of constitutional concern pending resolution on a nationwide scale.” Under that reasoning, the district court granted plaintiffs’ motions for preliminary injunction, enjoining the CFPB from implementing its 1071 Rule for small business lending.  

    Courts CFPB Small Business Lending Litigation Texas Agency Rule-Making & Guidance

  • Texas enacts data broker requirements

    State Issues

    The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.

    The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.

    The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.

    State Issues Privacy, Cyber Risk & Data Security State Legislation Texas Data Brokers Third-Party

  • Texas is most recent state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.

    The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.

    Highlights of the TDPSA include:

    • Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
    • Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
    • No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
    • Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.

    The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Texas Consumer Protection

  • Texas has new licensing requirements for digital-asset platforms

    In June, the Texas governor signed HB 1666 (the “Act”) to add practice restrictions to digital asset service providers, defined as electronic platforms that facilitate the trading of digital assets on behalf of a digital asset customer and maintain custody of the customer’s digital assets. The Act applies to a digital asset service provider conducting business in Texas that holds a money transmission license and either services more than 500 digital asset customer in the state or has at least $10 million in customer funds. Digital asset service providers are required to comply with certain provisions in order to obtain and maintain a money transmission license including provisions relating to the commingling of funds, customer access to funds, accounting requirements, annual reporting requirements. The Texas Department of Banking has the authority to suspend and revoke a license if these requirements are not met and may impose a penalty for violations of the Act. The commissioner also has examination authority and may promulgate rules to administer and enforce the Act’s provisions. The Act is effective September 1. Certain financial institutions and entities not required to hold a money transmission license are exempt. 

    Licensing State Issues Digital Assets Fintech State Legislation Texas Money Service / Money Transmitters

  • Texas enacts digital services bill to protect minors

    Privacy, Cyber Risk & Data Security

    On June 13, the Texas governor signed HB 18 to enact the Securing Children Online through Parental Empowerment (SCOPE) Act. The Act will require digital service providers to register a person’s age and, if the user is determined to be a minor (younger than 18 years of age), the provider is required to: (i) limit the collection of personal identifying information (PII) to what is reasonably necessary to provide the service; (ii) limit use of PII to the purpose for which it was collected; (iii) prevent the user from engaging in financial transactions through the digital service; (iv) prevent the user’s PII from being shared, disclosed, or sold; (v) not use the digital service to collect precise geolocation data on the user; or (vi) not use the digital service for targeted advertising. Digital service providers are also required to create tools for parents to control their minor children’s accounts and privacy settings and should reasonably attempt to limit advertising and algorithms that direct minors to harmful content.

    SCOPE applies only to those who provide a digital service that enables minor users to socially interact with other users on the digital service and create, post, or share content. SCOPE outlines numerous exemptions, including exemptions for financial institutions, certain covered entities governed by the Health Insurance Portability and Accountability Act, certain persons subject to the Family Educational Rights and Privacy Act, and certain affiliates or subsidiaries of an internet service provider.

    While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law (a violation of the Act is considered a deceptive act or practice). The Act takes effect September 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Texas Consumer Protection

  • Texas enacts Money Services Modernization Act

    On May 29, the Texas governor signed SB 895 (the “Act”) to enact the Money Services Modernization Act, the money transmitter model law created by industry and state experts. The goal of the Act is to create a set of consistent and coordinated standards relating to the regulation of money service businesses. Among other things, the Act outlines networked supervision criteria to allow the commissioner to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and other related affiliates and successors for all money services licenses that hold licenses in Texas and other states. To efficiently minimize regulatory burden, the commissioner may, among other things, coordinate and share information with other state and federal regulators, enter into information-sharing contracts or agreements, conduct joint examinations or investigations, and accept examination or investigation reports made by other states. Texas now joins several other states in adopting common licensing and regulatory standards to add efficiencies to the multi-state process (continuing InfoBytes coverage here).

    Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The Act also includes additional consumer protection provisions. The Act includes in the definition of “money” or “monetary value” a stablecoin that “(i) is pegged to a sovereign currency; (ii) is fully backed by assets held in reserve; and (iii) grants a holder of the stablecoin the right to redeem the stablecoin for sovereign currency from the issuer.” Among the various exemptions, the Act provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services. The amendments also outline numerous licensing application and renewal procedures including net worth, surety bond, and permissible investment requirements. The Act is effective September 1.

    Licensing State Issues State Legislation Texas Money Service / Money Transmitters CSBS

  • Texas amends breach notification requirements

    Privacy, Cyber Risk & Data Security

    On May 27, the Texas governor signed SB 768 to amend the state’s data breach notification statutes. The Act requires entities to notify the attorney general “as soon as practicable” and not later than 30 days after the date a computerized security system breach occurs involving at least 250 Texas residents. The Act now details that notification must be submitted electronically using a form accessible through the attorney general’s website. No substantive changes were made to the required information within the form. The Act is effective September 1.

    Privacy, Cyber Risk & Data Security State Issues Texas Data Breach State Attorney General Consumer Protection

Pages

Upcoming Events