Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Republican senators and states oppose gun-store MCC

    State Issues

    On September 20, twenty-four state attorneys general sent a letter to the CEOs of three credit card companies opposing the International Organization for Standardization’s (ISO) recommendation to create a merchant category code (MCC) for gun stores to use when processing credit and debit card transactions. According to the AGs, the MCC “will not protect public safety,” and tracking gun purchase information “can only result in its misuse, either unintentional or deliberate.” The AGs also expressed their concern “that financial institutions that place their desired public policy outcomes ahead of the well-being of their investors do so in derogation of their fiduciary obligations.”

    The same week, in a separate letter, twelve Republican U.S. Senators sent a letter to the CEOs also requesting the reversal of their decision to comply with the ISO standard to create a separate MCC for the sale of firearms in the U.S. According to the letter, the CEOs “are choosing the side of gun control advocates over the privacy and Second Amendment rights of millions of law abiding Americans,” and consider the decision to comply with the MCC “the first step towards backdoor gun control on law abiding Americans.” The Senators asked the CEOs to respond to a series of ISO-related questions.

    As previously covered by InfoBytes, on September 2, the California and New York AGs sent a letter to the CEOs asking for the establishment of a unique MCC for gun store purchases, writing that a specially-designated MCC would help companies flag suspicious activity. The letter followed recent requests sent by several congressional Democrats to the same companies urging them to establish an MCC code for guns.

    State Issues Credit Cards U.S. Senate State Attorney General Federal Issues

  • FTC, DFPI shut down operation offering mortgage relief

    Federal Issues

    On September 19, the FTC and the California Department of Financial Protection (DFPI) announced a lawsuit against several companies and owners for allegedly operating an illegal mortgage relief operation. (See also DFPI’s announcement here.) The filing marks the agencies’ first joint action, which alleges the defendants’ conduct violated the California Consumer Financial Protection Law, the FTC Act, the FTC’s Mortgage Assistance Relief Services Rule (the MARS Rule or Regulation O), the Telemarketing Sales Rule, and the Covid-19 Consumer Protection Act. The agencies claimed that the defendants preyed on distressed consumers with false promises of mortgage assistance relief. According to the complaint, the defendants made misleading claims during telemarketing calls to consumers, including those with numbers on the National Do Not Call Registry, as well as through text messages and in online ads. In certain cases, defendants represented they were affiliated with government agencies or were part of a Covid-19 pandemic assistance program. Among other things, defendants falsely claimed they were able to lower consumers’ interest rates or payments, and instructed consumers not to pay their mortgages, leading to late fees and significantly lower credit score. Defendants also allegedly told consumers not to communicate directly with their lenders, which caused consumers to miss default notices and face foreclosure. Additionally, defendants charged consumers illegal up-front fees ranging from $500 to $2,900 a month, and told consumers they were negotiating loan modifications that in most cases never happened.

    The U.S. District Court for the Central District of California granted a restraining order temporarily shutting down the defendants’ operations. In freezing the defendants’ assets and ordering them to submit financial statements, the court noted that the agencies established a likelihood of success in showing that the defendants “have falsely, deceptively, and illegally marketed, advertised, and sold mortgage relief assistance services.”

    Federal Issues FTC DFPI State Issues California Mortgages Consumer Finance Mortgage Relief Enforcement California Consumer Financial Protection Law FTC Act MARS Rule Regulation O Telemarketing Sales Rule Covid-19 Consumer Protection Act Covid-19 UDAP

  • California passes UDAAP legislation

    State Issues

    On September 15, the California governor signed AB 1904, which amends Section 1770 of the Civil Code relating to financial institutions and addresses certain provisions under the Consumers Legal Remedies Act. Among other things, the bill prohibits a covered person or a service provider from engaging in unlawful, unfair, deceptive, or abusive acts or practices regarding consumer financial products or services, such as, among other things: (i) misrepresenting the source, sponsorship, approval, or certification; (ii) using deceptive representations of geographic origin; (iii) representing that goods are original or new if they have deteriorated unreasonably or are altered; (iv) advertising goods or services with the intent not to sell them as advertised; and (v) making false or misleading statements of fact concerning reasons for, existence of, or amounts of, price reductions. The bill authorizes the California Department of Financial Protection and Innovation to bring a civil action for a violation of the law. The bill would also make unlawful the failure to include certain information, including a prescribed disclosure, in a solicitation by a covered person, or an entity acting on behalf of a covered person, to a consumer for a consumer financial product or service.

    State Issues State Legislation California UDAAP DFPI State Regulators

  • New NYDFS proposal to implement Commercial Finance Disclosure Law

    State Issues

    On September 14, NYDFS published a notice of proposed rulemaking under New York’s Commercial Financing Disclosure Law (CFDL) related to disclosure requirements for certain providers of commercial financing transactions in the state. As previously covered by InfoBytes, the CFDL was enacted at the end of December 2020, and amended in February to expand coverage and delay the effective date. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. Last December, NYDFS announced that providers’ compliance obligations under the CFDL will not take effect until the necessary implementing regulations are issued and effective (covered by InfoBytes here).

    The newest proposed regulations (see Assessment of Public Comments for the Revised Proposed New Part 600 to 23 NYCRR) introduce several revisions and clarifications following the consideration of comments received on proposed regulations published last October (covered by InfoBytes here). Updates include:

    • A new section stating that a “transaction is subject to the CFDL if one of the parties is principally directed or managed from New York, or the provider negotiated the commercial financing from a location in New York.”
    • A new section requiring notice be sent to a recipient if a change is made to the servicing of a commercial financing agreement.
    • An revised definition of “recipient” to now “include entities subject to common control if all such recipients receive the single offer of commercial financing simultaneously.”
    • Clarifying language stating that the “requirements pertaining to the statement of a rate of finance charge or a financing amount, as that term appears in Section 810 of the CFDL, shall be in effect only upon the quotation of a specific commercial financing offer.”
    • Provisions allowing providers to perform calculations based upon either a 30-day month/360-day year or a 365-day year, with the acknowledgment that different methods of computation may lead to slightly different results.
    • An amendment stating that “a ‘provider is not required to provide the disclosures required by the CFDL when the finance charge of an existing financing is effectively increased due to the incurrence, by the recipient, of avoidable fees and charges.’”
    • An acknowledgement of comments asking that 23 NYCRR Part 600 be identical to California’s disclosure requirements (covered by InfoBytes here) “or as consistent as possible.” In response, NYDFS said that while it generally agrees, and has consulted with the California Department of Financial Protection and Innovation (DFPI), the regulations cannot be identical because the CFDL differs from the California Consumer Financial Protection Law and the Department cannot anticipate any future revisions DFPI may make to its proposed regulations.

    Comments on the proposed regulations are due October 31.

    State Issues Agency Rule-Making & Guidance Bank Regulatory State Regulators NYDFS Commercial Finance Disclosures New York CFDL California DFPI

  • Debt buyer will pay $12 million following allegations of unfair, deceptive practices

    State Issues

    On September 20, the Massachusetts attorney general announced that a California-based debt collection company and its subsidiaries agreed to pay $12 million, including restitution and debt relief, for allegedly engaging in unfair and deceptive debt buying practices. According to the assurance of discontinuance, the debt collector allegedly violated state law by, among other things, (i) purchasing debts without obtaining all relevant documentation from the seller to ensure the debts were valid and accurate; (ii) exceeding the number of calls permitted when attempting to collect a debt and placing harassing debt collection calls; (iii) failing to prevent its collection law firm from using falsified or otherwise incorrect information about the existence of lawsuits and judgments; and (iv) attempting to collect debts that were beyond the statute of limitations or time-barred. The debt collector also allegedly “represented that certain vulnerable consumers were required to make good faith payments or enter an agreement for judgment with payment on a debt when the consumer had only exempt sources of income like social security disability benefits and pensions,” the AG said in the announcement. While the debt collector expressly denied the allegations, it agreed to pay $4.5 million and will reform its debt collection practices and cease to collect on more than 4,200 debts placed with the collection law firm for which a judgment could not be verified. These debts total approximately $7.5 million.

    State Issues State Attorney General Enforcement Debt Collection Consumer Finance

  • 2nd Circuit: NY law on interest payments for escrow accounts is preempted

    Courts

    On September 15, the U.S. Court of Appeals for the Second Circuit held that New York’s interest-on-escrow law impermissibly interferes with the incidentals of national bank lending and is preempted by the National Bank Act (NBA). Plaintiffs in two putative class actions obtained loans from a national bank, one before and the other after certain Dodd-Frank provisions took effect. The loan agreements—governed by New York law—required plaintiffs to deposit money into escrow accounts. After the bank failed to pay interest on the escrowed amounts, plaintiffs sued for breach of contract, alleging, among other things, that under New York General Obligations Law (GOL) § 5-601 (which sets a minimum 2 percent interest rate on mortgage escrow accounts) they were entitled to interest. The bank moved to dismiss both actions, contending that GOL § 5-601 did not apply to federally chartered banks because it is preempted by the NBA. The district court disagreed and denied the bank’s motion, ruling first that RESPA (which regulates the amount of money in an escrow account but not the accruing interest rate) “shares a ‘unity of purpose’ with GOL § 5-601.” This is relevant, the district court said, “because Congress ‘intended mortgage escrow accounts, even those administered by national banks, to be subject to some measure of consumer protection regulation.’” Second, the district court reasoned that even though TILA § 1639d does not specifically govern the loans at issue, it is significant because it “evinces a clear congressional purpose to subject all mortgage lenders to state escrow interest laws.” Finally, with respect to the NBA, the district court determined that “the ‘degree of interference’ of GOL § 5-601 was ‘minimal’ and was not a ‘practical abrogation of the banking power at issue,’” and concluded that Dodd-Frank’s amendment to TILA substantiated a policy judgment showing “there is little incompatibility between requiring mortgage lenders to maintain escrow accounts and requiring them to pay a reasonable rate of interest on sums thereby received.” As such, GOL § 5-601 was not preempted by the NBA, the district court said.

    On appeal, the 2nd Circuit concluded that the district court erred in its preemption analysis. According to the appellate court, the important question “is not how much a state law impacts a national bank, but rather whether it purports to ‘control’ the exercise of its powers.” In reversing the ruling and holding that that GOL § 5-601 was preempted by the NBA, the appellate court wrote that the “minimum-interest requirement would exert control over a banking power granted by the federal government, so it would impermissibly interfere with national banks’ exercise of that power.” Notably, the 2nd Circuit’s decision differs from the 9th Circuit’s 2018 holding in Lusnak v. Bank of America, which addressed a California mortgage escrow interest law analogous to New York’s and held that a national bank must comply with the California law requiring mortgage lenders to pay interest on mortgage escrow accounts (covered by InfoBytes here). Among other things, the 2nd Circuit determined that both the district court and the 9th Circuit improperly “concluded that the TILA amendments somehow reflected Congress’s judgment that all escrow accounts, before and after Dodd-Frank, must be subject to such state laws.”

    In a concurring opinion, one of the judges stressed that while the panel concluded that the specific state law at issue is preempted, the opinion left “ample room for state regulation of national banks.” The judge noted that the opinion relies on a narrow standard of preempting only those “state laws that directly conflict with enumerated or incidental national bank powers conferred by Congress,” and stressed that the appellate court declined to reach a determination as to whether Congress subjected national banks to state escrow interest laws in cases (unlike the plaintiffs’ actions) where Dodd-Frank’s TILA amendments would apply. 

    Courts State Issues Appellate Second Circuit New York Mortgages Escrow Interest National Bank Act Class Action Dodd-Frank RESPA TILA Consumer Finance

  • New York expands access to PSLF program

    State Issues

    On September 15, the New York governor signed S.8389-C/A. 9523-B , which amends the Public Service Loan Forgiveness (PSFL) program statewide. Among other things, the legislation: (i) adds clarifying legal definitions, such as “certifying employment,” “employee,” “full-time,” “public service employer,” “public service loan forgiveness form,” and “public service loan forgiveness program”; (ii) establishes a standard hourly threshold for full-time employment at thirty hours per week for the purposes of accessing PSLF; and (iii) permits public service employers to certify employment on behalf of individuals or groups of employees directly with the U.S. Department of Education. The legislation is effective immediately.

    State Issues New York State Legislation Student Lending PSLF Department of Education Consumer Finance

  • California amends GAP disclosure legislation

    State Issues

    On September 13, the California governor signed AB 2311, which amends provisions regarding vehicle finance disclosures. The bill establishes provisions to govern the offer, sale, provision, or administration, in connection with a conditional sale contract, of a guaranteed asset protection waiver (GAP waiver). Specifically, the bill requires creditors to automatically refund the unearned portion of a GAP waiver if a consumer pays off or otherwise terminates their auto loan early. The bill prohibits: (i) conditioning the extension of credit, the term of credit, or the terms of a conditional sale contract upon the purchase of a GAP waiver; and (ii) the sale of a GAP waiver pursuant to certain provisions where the loan-to-value ratio exceeds the maximum loan-to-value ratio of the GAP waiver. The bill, among other things, authorizes the buyer to recover three times the amount of any GAP charges paid. The bill is effective January 1, 2023.

    State Issues State Legislation California Auto Finance Disclosures GAP Waivers GAP Fees Consumer Finance

  • California adopts “first-in-nation” act to safeguard children’s online data and privacy

    Privacy, Cyber Risk & Data Security

    On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).

    The Act also outlines specific requirements for covered businesses, including:

    • Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
    • Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
    • Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
    • Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
    • Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
    • Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
    • Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.

    Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.

    The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.

    The Act takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Consumer Protection California COPPA CPPA State Attorney General Enforcement

  • District Court denies defendant summary judgment in data breach suit

    Privacy, Cyber Risk & Data Security

    On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.

    Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”

    According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”

    Privacy, Cyber Risk & Data Security Courts Data Breach State Issues Illinois Class Action

Pages

Upcoming Events