InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
OFAC sanctions individuals involved in Syria’s drug production and trafficking
On March 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated key individuals for supporting the regime of Syrian President Bashar al-Assad and the regime’s billion-dollar illicit drug production and trafficking enterprise. Taken in coordination with the UK, the designations, issued pursuant to Executive Orders 13572, 13582, and 13224, “also highlight the important role of Lebanese drug traffickers—some of whom maintain ties to Hizballah—in facilitating the export of Captagon[,]” the dangerous amphetamine at issue. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or subject to an enforcement action, OFAC warned.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
Crypto lender to provide refunds to Californians
On March 27, the California Department of Financial Protection and Innovation (DFPI) announced that a New Jersey-based crypto lending platform has agreed to provide more than $100,000 in refunds to California residents. The refunds, subject to bankruptcy court approval, stem from the lender’s conduct following the collapse of a major crypto exchange last November. As previously covered by InfoBytes, in December, DFPI moved to revoke the lender’s California Financing Law license following an examination, which found that the lender “failed to perform adequate underwriting when making loans and failed to consider borrowers’ ability to repay these loans, in violation of California’s financing laws and regulations.” At the time the lender announced it was limiting platform activity and pausing client withdrawals. The lender eventually filed a petition for chapter 11 bankruptcy. An investigation also revealed that due to the lender’s failure to timely notify borrowers that they could stop repaying their loans, borrowers remitted at least $103,471 in loan repayments to the lender’s servicer while they were unable to withdraw funds and collateral from the platform. A hearing on the lender’s petition to direct its servicer to return borrowers’ loan repayments is scheduled for April 19.
The lender agreed to an interim suspension of its lending license while the bankruptcy and revocation actions are pending. It also agreed to a final order to discontinue unsafe or injurious practices, as well as a desist and refrain order. Among other things, the lender has agreed to continue to direct its agents to pause collection of repayments on loans belonging to California residents while its license is suspended (including turning off autopay), will continue to set interest rates to 0 percent, and continue to not levy any late fees associated with any payments or report any loans that became delinquent or defaulted on or after November 11, 2022, to credit reporting agencies while the bankruptcy and revocation actions are pending.
Kentucky modifies allowable charges on consumer loans
On March 29, Kentucky enacted SB 165 to amend Kentucky code to modify permitted loan charges for consumer loan companies. Specifically, licensees may make loans up to $15,000, excluding charges; however, the original principal amount determines how much a licensee may charge, contract for, and receive on a loan. For loans with an original principal amount under $5,000, a licensee may charge up to 3 percent per month on the original principal of the loan, as well as on any charges, including fees, costs, expenses, or other amounts authorized by the act on the loan contract. Licensees may charge 2.42 percent on loans between $5,000 and $10,000, and 2.25 percent on loans exceeding $10,000. Additionally, every loan payment may now “be applied to the face amount of the note until the loan contract is paid in full.” The amendments also stipulate that a licensee is not allowed to “induce or permit a person to become obligated to the licensee, directly or contingently, or both under any loan contract entered into within [10] days of the origination of another loan contract with the same person for the purpose or with the result of obtaining charges.” Moreover, should a licensee make a second or subsequent loan to a person outside of the 10-day period, “the licensee shall not be required to limit the loan charges to the aggregate amount of what the loans combined would dictate under this subtitle.” For borrowers that request loan funding in a manner other than a physical check, a licensee may charge a $3 funding fee per loan for distributing the proceeds in the manner requested by the borrower. The amendments are effective 90 days after adjournment of the legislature.
Iowa establishes refund requirements for voluntary debt cancellation coverage
On March 22, the Iowa governor signed HF 133 relating to refund payments made in connection with motor vehicle debt cancellation coverage. The act provides that if a creditor is a financial institution, as defined in the Iowa consumer credit code or the Gramm-Leach-Bliley Act, and purchases a retail installment contract with voluntary debt cancellation coverage, “the only obligation of the creditor upon prepayment in full shall be to notify the motor vehicle dealer within thirty days of the prepayment.” It is the motor vehicle dealer’s responsibility to promptly determine whether a consumer is eligible to receive a refund of any voluntary debt cancellation coverage. Any refunds must be issued directly to the consumer within 60 days of the dealer receiving notice of prepayment from the creditor. The act is effective July 1.
Virginia credit unions may offer virtual currency custody
On March 23, the Virginia governor signed HB 1727, which amends the Virginia code to allow credit unions operating in the commonwealth to engage in virtual currency custody services, provided the credit union “has adequate protocols in place to effectively manage risks and comply with applicable laws and, prior to offering virtual currency custody services, the credit union has carefully examined the risks in offering such services through a methodical self-assessment process.” The amendments stipulate that in order to engage in such services, a credit union must implement effective risk management systems and controls, confirm adequate insurance coverage, and maintain a service provider oversight program.
The amendments further provide that a credit union may offer such services in a fiduciary or nonfiduciary capacity; however, in order to provide virtual currency custody services in a fiduciary capacity, the credit union must first obtain approval from the State Corporation Commission. Commission approval is contingent upon a credit union having sufficient capital structure to support providing such services, credit union personnel being adequately trained to ensure compliance with governing laws and regulations, and that granting such authority is in the public interest. The amendments are effective July 1.
DFPI releases more proposed CCFPL modifications on complaints and inquiries
On March 23, the California Department of Financial Protection and Innovation (DFPI or the Department) released a second round of modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) (b), and (d)(2)(D) of the CCFPL. Subdivisions (a) and (b) authorize the DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and the DFPI concerning consumer complaints and inquiries, and subdivision (d)(2)(D) permits covered persons to withhold certain non-public or confidential information when responding to consumer inquiries. The first round of proposed modifications to the NPRM was released in December (covered by InfoBytes here).
DFPI considered comments received on the initially proposed text and the proposed modifications and is now proposing the following additional changes:
- Applicability. The proposed modifications clarify that Sections 1072, 1073, and 1074 apply only to covered persons required to be licensed by the DFPI or registered with the DFPI “pursuant to Financial Code sections 90009 and 90009.5, including any rules promulgated thereunder.”
- Amended definitions. The proposed modifications add an additional exclusion from the definition of “complaint[,]” excluding a “notice of error filed with a remittance transfer provider.” “Complainant” is amended to clarify that it does not include individuals who are not residents of California at the time “the act, omission, decision, condition, or policy giving rise to the complaint was applied to the consumer.”
- Complaint processes and procedures. Among other things, the proposed modifications add requirements that (i) covered persons issue initial and annual disclosures to California residents that include the procedures for filing a complaint; (ii) the main home page or main contact page include the set hours a live representative is normally available to accept oral complaints; (iii) all written communications—not just the final decision—related to a complaint must be submitted in the language in which the contract was negotiated; and (iv) make changes to DFPI’s annual complaint report requirements, including a new category related to nuisance complaints.
Comments are due April 7.
FDIC orders neobank to stop fraudulent deposit insurance representations
On March 27, the FDIC sent a letter to a neobank demanding that it stop making false or misleading representations about FDIC deposit insurance and take immediate corrective action to address these statements. The FDIC maintained that the neobank and/or its officers made false and misleading statements in English and Spanish suggesting that it is FDIC-insured and that FDIC insurance will protect customers’ cryptocurrency assets. The FDIC explained in the letter that not only is the neobank not FDIC-insured, the FDIC does not insure crypto assets. “By not distinguishing between US-dollar deposits and crypto assets, the statements imply FDIC insurance coverage applies to all customer funds (including crypto assets),” the letter said. Moreover, the neobank also failed to “clearly and conspicuously identify an insured deposit institution for placement of deposits,” the FDIC said in its announcement. Under the Federal Deposit Insurance Act, the announcement added, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.” The FDIC requested a response within 15 days.