Skip to main content
Menu Icon Menu Icon



Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California expands consumer privacy rights to include genetic data

    Privacy, Cyber Risk & Data Security

    On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.

    Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.

    Both bills take effect January 1, 2022.

    Privacy/Cyber Risk & Data Security State Issues State Legislation California Consumer Protection

    Share page with AddThis
  • California authorizes prepaid accounts to accept publicly administered funds provided no overdraft fees

    State Issues

    On October 5, the California governor signed SB 497, which, among other things, amends the definition of a “qualifying account” use for the purposes of depositing certain publicly administered funds. The amendment eliminates prepaid card accounts from the definition of “qualifying account,” and instead authorizes “a prepaid account or a demand deposit or savings account offered by or through an entity other than an insured depository financial institution, as specified, that is not attached to an automatic credit or overdraft feature, unless the credit or overdraft feature has no fee, charge, or cost, or it complies with the requirements for consumer credit under the federal Truth in Lending Act.” Specifically, persons or entities that are not insured depository financial institutions but who offer, maintain, or manage non-“qualifying accounts” are prohibited from soliciting, accepting, or facilitating the direct deposit of the publicly administered funds into the accounts.

    State Issues State Legislation California Consumer Finance Overdraft Prepaid Cards TILA

    Share page with AddThis
  • CFPB issues semi-annual report to Congress

    Federal Issues

    On October 8, the CFPB issued its semi-annual report to Congress covering the Bureau’s work from October 1, 2020 to March 31, 2021. The report, which is required by Dodd-Frank, addresses, among other things, the effects of the Covid-19 pandemic on consumer credit, significant rules and orders adopted by the Bureau, consumer complaints, and various supervisory and enforcement actions taken by the Bureau. In his opening letter, Director Dave Uejio discusses the Bureau’s efforts to increase racial equity in the marketplace and to mitigate the financial effects of the Covid-19 pandemic on consumers, including measures such as reinstituted regular public reporting, developing Prioritized Assessments to protect consumers from elevated risks of harm related to the pandemic, and numerous enforcement actions with claims or findings of various violations. Uejio also notes that communities of color, particularly Black and Hispanic communities, have disproportionately experienced the health and economic effects of the pandemic, and states that the Bureau is utilizing “all [of its] tools to ensure that all communities, of all races and economic backgrounds, can participate in and benefit from the nation’s economic recovery.”

    Among other topics, the report highlights two publications by the Bureau: one focusing on the TRID Integrated Disclosure Rule (covered by InfoBytes here), and another focusing on credit record trends for young enlisted servicemembers during the first year after separation (covered by InfoBytes here). The effects of the Covid-19 pandemic on consumer credit are also discussed, as are the results from the Bureau’s Making Ends Meet Survey. In addition to these areas of focus, the report notes the issuance of several significant notices of proposed rulemaking related to remittance transfers, debt collection practices, the transition from LIBOR, and qualified mortgage definitions under TILA. Multiple final rules were also issued concerning Truth in Lending Act (Regulation Z); remittance transfers; and payday, vehicle, title, and certain high-cost installment loans. Several other rules and initiatives undertaken during the reporting period are also highlighted.

    Federal Issues CFPB Covid-19 Consumer Finance Agency Rule-Making & Guidance TRID Servicemembers LIBOR TILA Payday Rule

    Share page with AddThis
  • DFPI reports sharp decrease in consumer lending and PACE financing

    State Issues

    On October 7, the Department of Financial Protection and Innovation (DFPI) released a report showing significant changes in consumer lending activity, likely attributable to a number of factors including the Covid-19 pandemic, state and federal financial assistance, student loan payment moratoriums, favorable interest rates, and increased reporting of alternative financing products. The 2020 annual report examined unaudited data gathered from finance lenders, brokers, and Property Assessed Clean Energy (PACE) administrators licensed under the California Financing Law, as well as new data from the “Buy Now, Pay Later” (BNPL) industry. Findings showed, among other things, a sharp decrease in certain types of consumer loans with BNPL products (often interest-free), decreasing overall by 41 percent in 2019. However, the report found that consumer loans, excluding BNPL, increased 94.8 percent during the same period—a result likely caused by an increase in originations of consumer loans secured by real estate. Finance lenders, including BNPL, originated nearly 12 million consumer loans in 2020 (a 530 percent increase over the prior year), with the top six BNPL lenders accounting for 91 percent of the total consumer loans originated in 2020. DFPI noted that a surge in BNPL unsecured consumer loans reported to the regulator shows that BNPL payment options are becoming increasingly popular. DFPI also discussed recent BNPL enforcement actions, which required companies to consider a consumer’s ability to repay a loan and subjected the companies to rate and fee caps.

    The report also examined PACE financing data. According to findings, there was an 18 percent decline in the total number of PACE assessment contracts funded and originated in 2020, and a 30 percent decrease in gross income for PACE program administrators since 2019.

    State Issues State Regulators DFPI PACE Programs Consumer Finance Covid-19 Buy Now Pay Later

    Share page with AddThis
  • California passes legislation on automatic subscriptions

    State Issues

    On October 4, the California governor signed AB 390, which amends and adds Section 17602 of the Business and Professions Code regarding automatic subscription renewals. The law applies to businesses conducting automatic renewal or continuous services offers to California customers. Among other things, the bill requires that: (i) notice be provided at least 3 days before and at most 21 days before the expiration of the period for which a fee gift or trial, or promotional or discounted price, applies; (ii) notice be provided at least 15 days and not more than 45 days before the automatic renewal offer or continuous service offer renews; and (iii) a business allow a consumer to terminate the automatic renewal or continuous service offer without engaging in steps that may delay the consumer’s ability to immediately terminate the policy. The bill also specifies that a “‘free gift’ does not include a free promotional item or gift given by the business that differs from the subscribed product.” The law takes effect July 1, 2022.

    State Issues California State Legislation Auto-Renewal

    Share page with AddThis
  • FDIC announces deposit insurance seminars

    Federal Issues

    On October 7, the FDIC announced that it will conduct four identical seminars for bank employees and bank officers regarding FDIC deposit insurance coverage between October 21 and December 14. According to the FDIC, the seminars will: (i) provide an overview of FDIC-deposit insurance rules; (ii) cover topics such as the general principles of coverage, ownership categories, and requirements; (iii) provide information on additional deposit insurance resources; and (iv) include coverage examples and a live Q&A session. Registration will be required, but the seminars are free. Seminar participants must register at least two business days prior to the event, which can be accessed here.

    Federal Issues FDIC Deposit Insurance

    Share page with AddThis
  • Fed announces enforcement action against Minnesota bank

    Federal Issues

    On October 7, the Federal Reserve Board announced an enforcement action against a Minnesota-based bank. In the consent order, the Fed alleges that the bank violated the National Flood Insurance Act (NFIA) and Regulation H. The order assesses a $11,00 penalty against the bank for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.

    Federal Issues Federal Reserve Enforcement Regulation H Flood Insurance National Flood Insurance Act

    Share page with AddThis
  • Fed and Treasury address climate change risks

    Federal Issues

    On October 7, Federal Reserve Governor Lael Brainard spoke at the Federal Reserve Stress Testing Research Conference discussing the impacts of climate change on economic activity. Brainard revealed that the Fed is considering the potential implications of climate-related risks for financial institutions and the financial system and emphasized that scenario analysis is emerging as a possible key analytical tool. Regarding the climate scenario analysis, Brainard noted that climate change’s future financial and economic consequences depends on the physical effects and the nature and speed of the transition to a sustainable economy. She highlighted the importance of “model[ing] the transition risks arising from changes in policies, technology, and consumer and investor behavior and the physical risks of damages caused by an increase in the frequency and severity of climate-related events as well as chronic changes, such as rising temperatures and sea levels.” Brainard also discussed opportunities to learn from other countries' use of climate scenario analysis and overcoming the challenges in implementing climate scenario analysis, noting that “climate scenario analysis may need to consider interdependencies across the financial system,” among other things. Brainard added that she anticipates that it will be useful “to provide supervisory guidance for large banking institutions in their efforts to appropriately measure, monitor, and manage material climate-related risks, following the lead of a number of other countries.”

    The same day, the U.S. Treasury Department announced the Treasury Climate Action Plan, which is directed by Executive Order 14008 and Treasury’s efforts to support adaptation and increase resilience of its facilities and operations to the impacts of climate change. Among other things, the plan establishes five priority action areas, including: (i) rebuilding stagnated programs and capabilities; (ii) addressing climate change vulnerabilities across Treasury operations; (iii) ensuring a climate-focused approach to managing Treasury’s real property portfolio footprint; (iv) enabling management to fully consider climate change realities; and (v) accounting for a financial investment approach appropriate to Treasury’s climate objectives. In addition to the priority areas, Treasury will utilize the data and science of climate change to adjust policies, programs, and activities in improving its resilience to climate risks and impacts, according to the announcement.

    Federal Issues Climate Climate-Related Financial Risks Federal Reserve Department of Treasury

    Share page with AddThis
  • Delaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts


    On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.

    The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.

    With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”

    Courts Privacy/Cyber Risk & Data Security Derivatives Data Breach

    Share page with AddThis
  • District Court says Reg. J does not preempt state law in wire transfer case


    On October 5, a federal judge for the U.S. District Court for the Western District of Pennsylvania remanded a case back to state court, holding that the Federal Reserve’s regulation governing Fedwire transfers does not completely preempt state law claims. The elderly plaintiff alleged that bank employees helped her execute wire transfers totaling $4.3 million to an unknown scam artist, but never questioned whether she “intended, or knew, that the wire transfers were being made through a crypto currency bank to a crypto currency trust company.” The plaintiff sued the bank, claiming that it was negligent in not protecting her from the scheme, and that its advertising claims about keeping client information safe from scams were misleading and violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. While recognizing that the plaintiff only asserted state law claims, the bank removed the case to federal court on the ground that the Fedwire system used to make the transfers was governed by the Fed’s Regulation J, and thus state law was preempted.

    The court ruled that, while the bank could invoke Regulation J as a defense, the regulation does not expressly provide a private right to seek redress in federal court, nor does the regulation itself allow the bank to remove the case to federal court. “[T]he court concludes that the more persuasive case law reflects that only Congress (not a federal agency in a regulation) can completely preempt a state law cause of action to create removal jurisdiction.” The plaintiff did not assert federal claims, and so “[t]he mere fact that [the bank] intends to assert Regulation J as a preemption defense does not create removal jurisdiction.” Furthermore, the court cited the Fed’s commentary to Regulation J, which said regulations “may pre-empt inconsistent provisions of state law” but do not affect state law where there was no conflict. Since there was no conflict between Regulation J and the Pennsylvania law, the federal regulation does not provide the exclusive cause of action, the court said.

    Courts Federal Reserve State Issues Regulation J Wire Transfers Preemption

    Share page with AddThis


Upcoming Events