Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
In March, NYDFS released a report detailing the findings of an investigation into whether a global technology company and a New York state-chartered bank allegedly discriminated against women when making underwriting decisions for a co-branded credit card. According to the report, in 2019, allegations were made that the bank offered lower credit limits to women applicants and unfairly denied women accounts. NYDFS launched a fair lending investigation into the allegations and reviewed underwriting data for nearly 400,000 New Yorker residents, but ultimately found no evidence of unlawful disparate treatment or disparate impact. Among other things, the report noted that the bank “had a fair lending program in place for ensuring its lending policy—and underlying statistical model—did not consider prohibited characteristics of applicants and would not produce disparate impacts.” The bank also identified the factors it used when making the credit decisions, including credit scores, indebtedness, income, credit utilization, missed payments, and other credit history elements, all of which, NYDFS stated, appeared to be consistent with its credit policy.
On March 23, the Illinois Governor signed the Predatory Loan Prevention Act, SB 1792, which prohibits lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. For purposes of calculating the APR, the act requires lenders to use the system for calculating a military annual percentage rate under the Military Lending Act. Any loan with an APR exceeding 36 percent will be considered null and void “and no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan.” Additionally, a violation constitutes a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, and carries a potential fine up to $10,000. The act also contains an anti-evasion provision that prohibits persons or entities from “making loans disguised as a personal property sale and leaseback transaction; disguising loan proceeds as a cash rebate for the pretextual installment sale of goods or services; or making, offering, assisting, or arranging a debtor to obtain a loan with a greater rate or interest, consideration, or charge than is permitted by this Act through any method including mail, telephone, internet, or any electronic means regardless of whether the person or entity has a physical location in the State.”
The same day, the governor also signed SB 1608, which, among other things, creates a state version of the Community Reinvestment Act. The act will allow the state to assess whether covered financial institutions, including state-chartered banks, credit unions and non-bank mortgage lenders, are meeting the needs of local communities, including low-income and moderate-income neighborhoods. Financial institutions’ lending practices and community development/redevelopment program investments will be examined by the Secretary of Financial and Professional Regulation, who is granted the authority to conduct examinations in compliance with other state and federal fair lending laws including, but not limited to, the Illinois Human Rights Act, ECOA, and HMDA.
Both acts are effective immediately.
On March 11, the Utah governor signed HB 80, which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets specific safeguard requirements to protect personal information and is in place at the time of the data breach has an affirmative defense to claims brought under Utah law or in the courts of the state that allege the person failed to implement reasonable information security controls that resulted in the data breach. A person also has an affirmative defense to claims regarding the failure to appropriately respond to a data breach or provide notice to affected individuals as long as the written cybersecurity program contained specific protocols at the time of the breach that “reasonably complied with the requirements for a written cybersecurity program” for responding to a data breach or for providing notice. HB 80 also outlines the components that a written cybersecurity program must include to be eligible for an affirmative defense, and is effective 60 days following adjournment of the legislature.
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million individuals, including Social Security numbers, payment card information, and in certain instances, medical test names and diagnostic codes. According to the proposed consent order, an unauthorized user accessed the company’s internal system and accessed consumers’ personal information. The AGs claimed that “[d]espite numerous warnings from banks that processed its payments about a potential breach, [the company] failed to detect the intrusion.” Under the terms of the settlement, the company has agreed to implement data security practices to strengthen its information security program and safeguard consumers’ personal information. These measures include: (i) creating and implementing an information security program that includes an incident response plan; (ii) employing a chief information security officer to oversee data safety practices; and (iii) hiring a third-party assessor to conduct an information security assessment. Additionally, should the company fail to honor the injunctive terms of the settlement it may be liable for as much as $21 million.
On March 15, California launched their CA COVID-19 Rent Relief Program to aid landlords and renters who have unpaid rental debt due to Covid-19. In order to be eligible, a tenant must have “suffered a financial hardship” as a result of Covid-19 and have 80% or less of the area median income for their location. Landlords with eligible tenants may receive up to 80% of a tenant’s unpaid rent if they agree to waive the remaining 20%.
On March 15, the Nevada Department of Business of Industry, Division of Mortgage Lending extended its provisional guidance allowing licensed mortgage loan originators to work from home (previously covered here, here, and here) until June 30, 2021.
On March 15, the Michigan Department of Insurance and Financial Services issued a bulletin “strongly” encouraging financial institutions to protect payments made to customers under the American Rescue Plan from overdrafts and fees. The bulletin further instructs that if a financial institution’s system automatically applies such a payment to a preexisting overdraft, the institution should reverse the application of the direct payment as promptly as possible.
On March 15, the Michigan Department of Insurance and Financial Services, the Michigan Bankers Association, Community Bankers of Michigan, the Michigan Credit Union League and the National Business League urged minority-owned and other underserved businesses in Michigan to apply for forgivable loans through the Paycheck Protection Program (PPP) prior to the March 31, 2021 deadline. The announcement highlighted that community development financial institutions offer specialized support to underserved communities and can assist customers with limited or no credit history to obtain a PPP Loan.
On March 15, the Colorado governor issued an executive order extending numerous previous executive orders for 30 days. Among other things, the previous orders suspended certain aspects of Colorado statutes concerning foreign entity qualifications to conduct business in Colorado.
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- APPROVED Webcast: Staying in the know with Buckley regtech solutions
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable