Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 4, the California governor issued Executive Order N-03-21 extending the protections against commercial foreclosures and evictions arising from the nonpayment of rent or mortgage payments due to a substantial decrease in income or increase in medical expenses caused by the Covid-19 pandemic (previously discussed here and here) to June 30, 2021.
On February 23, the New York attorney general announced a $18.5 million settlement with the operators of a virtual currency trading platform and the “tether” virtual currency issuer, along with their affiliated entities, to resolve allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds. According to the AG, one of the companies operated an online trading platform for exchanging and trading virtual currency, which allowed users to store virtual or fiat currency, convert virtual currency into fiat currency, and withdraw funds, while the “tether” virtual currency issuer represented that the “stablecoin” it issued was backed one-to-one by U.S. dollars in reserve. However, an AG investigation found, among other things, that the companies made false statements about the backing of the stablecoin and moved hundreds of millions of dollars between the two companies in an attempt to conceal massive losses, and that the stablecoins were, in fact, no longer backed one-to-one by U.S. dollars in reserve, contrary to the company’s representations. The AG also noted that a national bank, which acted as the correspondent bank for the companies and was used to fill orders for U.S. dollars, elected to stop processing U.S. dollar wire transfers from the companies, forcing the companies to find alternative banking arrangements and ultimately leading to a liquidity crisis. Further, the AG stated that the companies failed to disclose these issues to the public. In 2019, a court order enjoined the companies from engaging in activities that may have defrauded investors trading in cryptocurrency (covered by InfoBytes here).
Under the terms of the settlement agreement, the companies and related entities must, among other things, (i) discontinue any further trading activity in the state; (ii) pay $18.5 million in monetary relief; and (iii) take steps to increase transparency, including maintaining internal controls and procedures designed to ensure that their products and services are not used by New York persons and entities, providing compliance reports to the AG, and providing a list of utilized payment processors.
NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more  to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.
On February 22, Washington D.C. Mayor Muriel Bowser announced that the District of Columbia Department of Insurance, Securities and Banking would be partnering with the United Planning Organization to administer a free hotline to connect District residents who were financially harmed by Covid-19 with trained financial “navigators.” These navigators will offer advice and help connect residents to various programs and services to help manage income disruptions and other financial concerns, including foreclosure mediation.
On February 22, the governor of Nebraska announced the launch of an emergency rental assistance program. Through the program Nebraska’s Housing Finance Agency, $158 million in federal stimulus funds will be available for distribution to eligible tenants and landlords.
On February 22, the Maryland commissioner of financial regulation issued guidance that extends the “re-start date” for the initiation of residential foreclosures to April 1, 2021. The guidance is issued pursuant to the Maryland governor’s executive order 20-12-17-02, which amended and restated previous executive orders covered here, here, and here.
On February 19, Georgia Governor Brian Kemp announced that Georgia has received $552 million from the federal government to implement a rental assistance program. The Georgia Department of Community Affairs will be administering the Georgia Rental Assistance program (subject to the still-developing U.S. Treasury guidelines), which will make payments directly to the landlords and utility providers of eligible individuals. To qualify for the program, a household must have:
- Qualified for unemployment benefits or experienced a reduction in household income, incurred significant costs, or experienced other financial hardship due directly or indirectly to Covid-19;
- Demonstrated a risk of experiencing homelessness or housing instability; and
- Have a household income at or below 80% of the Area Median Income (AMI), with priority given to: 1) households below 50% of the AMI, or 2) households with one or more individuals who have been unemployed 90 days or longer.
Payments are generally capped at 12 months of rent and utilities, but may extend to 15 under certain circumstances.
The Hawaii Department of Financial Institutions extended interim guidance permitting certain licensees with a physical presence to reduce hours or work from home to coincide with local mayor’s orders (see previous coverage here, here, here and here). The department explained that licensees may continue work from home status until applicable mayor’s orders are lifted. The department will also continue remote work status.
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Gage Javier to discuss “How to ensure customer and workforce equality in consumer financial services” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss “The bureau in transition” at the American Bar Association Business Law Section Spring Meeting
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- APPROVED Webcast: Staying in the know with Buckley regtech solutions
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable