InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB to extend 1071 rule compliance deadlines
On May 17, the CFPB announced it is extending the compliance deadlines for the small business lending rule (Section 1071 of Dodd-Frank, the “1071 rule”), which will require financial institutions to collect and report data on lending to small businesses to the Bureau (covered by InfoBytes here). Following challenges to the 1071 rule in the U.S. District Court in Texas, the rule was stayed pending the Supreme Court’s decision in CFPB v. CFSA (covered by InfoBytes here). Considering the Supreme Court’s recent decision that the Bureau’s funding is constitutional and the district court’s order requiring the CFPB to extend the rule’s compliance deadlines to compensate for the period stayed, the Bureau will issue an interim final rule to extend compliance deadlines as follows:
- Tier 1 institutions (highest volume lenders): The new compliance date is July 18, 2025, and the first filing deadline is June 1, 2026.
- Tier 2 institutions (moderate volume lenders): The new compliance date is January 16, 2026, and the first filing deadline is June 1, 2027.
- Tier 3 institutions (lowest volume lenders): The new compliance date is October 18, 2026, and the first filing deadline is June 1, 2027.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information
On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.
Maryland enacts new powers for regulators to examine third parties
On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.
Connecticut becomes latest state to ban medical debts in credit reporting
On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.
NYDFS releases its Cybersecurity Program Template
On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval.
Maryland updates prohibited items reported on consumer credit reports
On May 9, the Governor of Maryland approved SB 41 (the “Act”) which will change the requirements on prohibitions for consumer reporting agencies as to what information they may include in consumer credit reports.
The Act will prohibit consumer reporting agencies from reporting bankruptcies more than 10 years before the credit report would be issued, suits and judgments of more than seven years, paid tax liens greater than seven years, accounts placed for collection of more than seven years, arrest records or other crime reports of greater than seven years, and “any other adverse information that predates the report” by more than seven years. These reporting prohibitions do not apply to credit transactions with a principal amount of at least $150,000, as well as both the underwriting of life insurance with a face value of at least $150,000 or the employment of someone with a salary of at least $75,000. The Act will go into effect on October 1.
11th Circuit rejects a proposed TCPA class action settlement
On May 13, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a proposed TCPA class action settlement agreement. The class, consolidated from three class actions, accused the defendant, the “world’s largest services platform for entrepreneurs,” of violating the TCPA by using an automatic telephone dialing system to send unwanted calls and text messages to promote its products. The $35 million settlement and attorney’s fees, up to $10.5 million, was approved preliminarily in 2020.
According to the appellate court’s opinion, the district court abused its discretion in approving a proposed $35 million settlement because it: (i) did not consider the 2018 amendments to Rule 23(e)(2); (ii) overlooked possible collusion in the settlement agreement; and (iii) inadequately informed class members about the case. Additionally, the court incorrectly calculated the attorneys’ fees and wrongly treated the settlement as a common fund rather than a claims settlement. The class’s counsel was criticized for appearing to represent their own interests over those of the class since they were supposed to receive $10.5 million in fees. The court also found issues with the opt-out process, which was deemed overly complex and likely to discourage class members from opting out. As a result, the judgment was vacated.
CFPB obtains motion to dismiss in district court case against mortgage lender
On May 2, the U.S. District Court for the Southern District of Florida denied a mortgage lender’s motion to dismiss. The CFPB sued the lender in October 2023 for violating HMDA and Regulation C by intentionally misreporting data regarding borrower race, ethnicity, and sex pursuant to a data reporting requirement from a prior consent order. In a sample of the defendant’s data reporting submission, the CFPB allegedly found 51 data errors across seven data fields. The court sided with the CFPB on all four grounds raised in the lender’s motion to dismiss. First, the court found that the CFPB pleaded a plausible violation of the HMDA, sufficient to survive a motion to dismiss. Second, the court rejected the lender’s arguments that HMDA and Regulation C are “unconstitutionally vague” because they established a standard for covered loan data that meets a constitutional standard. Third, the court sided again with the CFPB in finding that the injunctive relief at issue did not qualify as an “obey the law” injunction since it provided reasonable clarity of what was required of the lender. And fourth, the court upheld the funding structure of the CFPB as constitutional, therein following guidance from the Second Circuit in upholding the structure as constitutional.