Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS publishes new proposal on cybersecurity regs

    Privacy, Cyber Risk & Data Security

    On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:

    • New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
    • Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
    • Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
    • Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”

    The proposed second amendment is subject to a 45-day comment period expiring August 14.

    Privacy, Cyber Risk & Data Security State Issues NYDFS 23 NYCRR Part 500 State Regulators

  • Nevada enacts health data privacy measures

    Privacy, Cyber Risk & Data Security

    On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.

    The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.

    Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability.  Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.

    The Act is effective March 31, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Medical Data Nevada HIPAA Consumer Protection

  • Nevada amends licensing and regulation provisions

    On June 15, the Nevada governor signed SB 355 (the “Act”) to amend several provisions relating to existing state law, which provides for the licensure and regulation of various financial institutions by the Commissioner of Financial Institutions. Among other things, the Act prohibits the commissioner “from requiring an applicant for a license to establish a new depository institution to identify the physical address of the proposed depository institution in the application for the license.” Additionally, while the Act requires data collectors that own, license, or maintain personal information to provide notice to the state attorney general and certain other persons of certain breaches of security involving personal information, the amendments now exempt persons licensed to engage in the business of lending in Nevada from these requirements.

    The Act sets forth numerous other provisions, including (i) removing the requirement that debt collection agencies notify a medical debtor via registered or certified mail before taking any action to collect a medical debt; (ii) authorizing certain financial institution employees to temporarily delay certain financial transactions involving the suspected exploitation of an older person or vulnerable person (and setting forth certain liability exemptions); and (iii) authorizing an employee of a licensee to engage in the business of lending in the state at a remote location if authorized by the licensee and specific criteria are met (the Act also outlines prohibited conduct for persons working remotely). Remote work provisions apply to employees of a mortgage company, including mortgage loan originators, so long as the mortgage company provides authorization. The Act also exempts remote locations from certain mortgage transaction recordkeeping requirements, and instead stipulates that a mortgage company must “keep and maintain records of all mortgage transactions made by an employee at a remote location in accordance with the requirements established by the Commissioner of Mortgage Lending by regulation.”

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act.  The remaining provisions take effect October 1, 2023, and January 1, 2024.

    Licensing State Issues State Legislation Nevada

  • Nevada expands collection agency licensing requirements

    On June 16, the Nevada governor signed SB 276 (the “Act”) to revise certain provisions relating to debt collection agencies and make amendments to the state’s collection agency licensing law. While existing law requires collection agencies to be licensed, the amendments expand the type of activities that trigger collection agency licensure. Notably, the Act now requires any “debt buyer” to hold a license, which is defined as “a person who is regularly engaged in the business of purchasing claims that have been charged off for the purpose of collecting such claims, including, without limitation, by personally collecting claims, hiring a third party to collect claims or hiring an attorney to engage in litigation for the purpose of collecting claims.” Mortgage servicers, however, are now exempt unless the “mortgage servicer is attempting to collect a claim that was assigned when the relevant loan was in default.” The amendments also repeal provisions governing foreign collection agencies and now require that such agencies be licensed in the same fashion as domestic collection agencies.

    In addition to licensed mortgage servicers the amendments also exclude others from the definition of the term “collection agency,” including an expanded list of certain financial institutions (as well as their employees), persons collecting claims that they originated on their own behalf or originated and sold, and other persons not deemed to be debt collectors under federal law. The term “collection agent” has also been refined to exempt persons who do not act on behalf of a collection agency from requirements governing collection agents.

    The Act revises requirements relating to “compliance managers” (formerly referred to as “collection managers”) – including an avenue to request a waiver from the Nevada compliance manager examination requirement if certain experiential requirements are met – and makes changes to certain record retention and application requirements, including amendments to the frequency with which the commissioner reviews a licensee’s required bond amount (annually instead of semiannually). A provision requiring applicants to pursue branch licenses for second or remote locations is also repealed. Instead, collection agencies must simply notify the commissioner of the location of the branch office. Further, collection agencies are now required to display license numbers and certificate identification numbers of compliance managers on any website maintained by the collection agency.

    Additionally, the Act now authorizes collection agents to work remotely provided the agents meet certain criteria, including: (i) signing a written agreement prepared by the collection agency that requires the agent to maintain agency-appropriate security measures to ensure the confidentiality of customer information; (ii) refraining from disclosing details about the remote location to a debtor; (iii) refraining from conducting collection activity-related work with a debtor or customer in person at the remote location; (iv) allowing work conducted from the remote location to be monitored; and (v) completing various compliance and privacy training programs. Remote collection agents must adhere to certain practices requirements and restrictions set forth by both the Act and the FDCPA. Collection agencies must also maintain records of remote collection agents, provide oversight and monitoring of collection agents that work remotely, develop and implement a written security policy governing remote collection agents, and establish procedures to ensure collection agents working remotely are not acting in an illegal, unethical, or unsafe manner.

    Finally, the Act imposes new prohibitions against collection agencies and their agents and employees. Among other things, a collection agency (and its compliance manager, agents, or employees) is banned from suing to collect a debt when it knows or should have known that the applicable statute of limitations has expired. The amendments further clarify that the applicable limitation period is not revived upon “payment made on a debt or certain other activity relating to the debt after the time period for filing an action based on a debt has expired.” Certain notice must also be given to a medical debtor notifying that such a payment does not revive the applicable statute of limitations. A collection agency may also not sell “an interest in a resolved claim or any personal or financial information related to the resolved claim.”

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on October 1, 2023 for all other purposes. “Debt buyers” have until January 1, 2024 to submit a collection agency license application pursuant to the new provisions.

    Licensing State Issues State Legislation Nevada Student Loan Servicer Student Lending Consumer Finance NMLS

  • Connecticut joins states enacting commercial financing disclosures and lender and broker registration requirements

    State Issues

    On June 28, Connecticut became the latest state to require certain providers of sales-based commercial financing to provide disclosures to borrowers and that such providers and brokers register with the state. SB 1032 (the “Act”) defines “commercial financing” as any extension of sales-based financing by a provider in amounts of $250,000 or less, which the recipient does not intend to use primarily for personal, family, or household purposes. A “provider” is defined by the Act as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” “Sales-based financing” means a transaction that is repaid by the recipient to the provider over time (i) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the volume of sales made or revenue received by the recipient, or (ii) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue. The Act establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions.

    Under the Act, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the Act. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The Act also discusses conditions and criteria when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted. Providers may rely on a statement of intended purpose made by the “recipient” (defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider”) to determine whether the financing is commercial financing.

    Further, the Act provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Notably, there is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner, in addition to adhering to the prescribed disclosure requirements, no later than October 1, 2024.

    Finally, the banking commissioner is authorized to adopt regulations to carry out the Act’s provisions. Providers who violate the Act’s provisions, or any adopted regulations, will be subject to civil penalties. The commissioner may also seek injunctive relief against providers who knowingly violate any of the provisions.

    The Act takes effect July 1, 2024.

    State Issues State Legislation Connecticut Commercial Finance Disclosures Broker

  • DFPI orders crypto platform to halt operations

    State Issues

    On June 27, the California Department of Financial Protection and Innovation (DFPI) issued a desist and refrain order against a digital asset trading platform and two of its promoters for allegedly selling unqualified securities and making material misrepresentations and omissions to investors, a violation of California securities laws.

    DFPI alleges that the platform leveraged a “multi-level marketing scheme” to award its promoters who sold unqualified securities to investors in the form of investment contracts and received cash investments ranging from $5,000-$20,000. Allegations also include that the platform “purported” to provide educational classes designed to empower the Latino community with respect to crypto asset trading. The order details that through these efforts to garner more investors, “misrepresentations of material fact [were made] to investors and potential investors, namely that investors would receive a return on their initial investment every three months.” Investors have allegedly not received any return on their initial investment. The commissioner found that the platform “fail[ed] to provide the promised returns on their purported investments” and that “[d]espite multiple requests, investors have not had their funds returned.”

    The order requires the platform to desist and refrain from the offer and sale of securities and stop making misrepresentations about returns in California.

    State Issues Securities Fintech DFPI Cryptocurrency Enforcement Digital Assets California

  • 26 state AGs support FTC’s proposal on Negative Option Rule

    State Issues

    On June 26, a coalition of 26 state attorneys general from New York, Pennsylvania, Alabama, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Oklahoma, Oregon, Vermont, Washington, and Wisconsin, submitted a comment letter in support of the FTC’s proposed amendments to its Negative Option Rule. While the Negative Option Rule is intended to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs, the FTC maintained that current laws and regulations do not clearly provide a consistent legal framework for these types of programs. (Covered by InfoBytes here.)

    In March, the FTC issued a notice of proposed rulemaking (NRPM), which would apply to all subscription features in all media (including “the internet, telephone, in-print, and in-person transactions”) and would regulate additional types of negative-option practices, including automatic renewals, free trial offers, and continuity plans. The NPRM proposes to add a new “click to cancel” provision making it as easy for consumers to cancel their enrollment as it was to sign up. Sellers would be required to first ask consumers whether they want to hear about new offers or modifications before making a pitch when consumers are trying to cancel their enrollment. Sellers further must provide consumers who are enrolled in negative option programs with an annual reminder involving anything other than physical goods before they are automatically renewed.

    In their letter, the states expressed support for the FTC’s NPRM, in particular, the provisions that would preserve state authority to regulate negative-option marketing and to enact greater protections and stricter laws than those proposed by the FTC. The states also agreed that the NPRM provides additional guidance and clarity on how businesses can comply with existing legal frameworks. However, the states urged the FTC to consider additional clarifications and improvements, including (i) requiring businesses to “clearly and conspicuously inform consumers of any conditions (or lack thereof) concerning cancellation”; (ii) requiring businesses to obtain an additional round of consent before charging a consumer at the end of a free trial; (ii) clarifying businesses’ cancellation mechanisms must be cost effective, timely, simple, and easy to use; (iii) expanding the methods that a consumer may use to cancel a recurring contract and allowing “all consumers to cancel through any medium that the seller uses to sell subscriptions or memberships, regardless of the medium through which that particular consumer signed up”; and (iv) requiring businesses to provide negative option reminders in additional ways—“not only through the same medium that the consumer used to consent to the negative option feature but also through any other medium that the seller uses to communicate with the consumer.”

    State Issues Agency Rule-Making & Guidance State Attorney General FTC Negative Option

  • Court orders credit union to pay $5 million to settle overdraft allegations

    Courts

    On June 27, the U.S. District Court for the Northern District of New York granted final approval of a class action settlement, resulting in a defendant credit union paying approximately $5.2 million to settle allegations concerning illegal overdraft/non-sufficient funds (NSF) fees and inadequate disclosure practices. As described in plaintiffs’ unopposed motion for preliminary approval, the defendant was sued in 2020 for violating the EFTA (Regulation E) and New York General Business Law (NY GBL) § 349. According to plaintiffs, defendant charged overdraft fees and NSF fees that were not permitted under its contracts with its members or Regulation E. Plaintiffs’ Regulation E and NY GBL liability theories are premised on the argument that defendant’s “opt-in form did not inform members that these fees were charged under the ‘available balance’ metric, rather than the ‘actual’ or ‘ledger’ balance metric”—a violation of Regulation E and NY GBL § 349. The plaintiffs’ liability theory was that defendant’s “contracts did not authorize charging overdraft fees when the ledger or actual balance was positive.” 

    Under the terms of the settlement, defendant is required to pay $2 million, for which 25 percent of the settlement fund will be allocated to class members’ Regulation E overdraft fees, 62.5 percent will go to class members’ GBL overdraft fees, and 12.5 percent will be allocated to class members’ breach of contract overdraft fees. Defendant is also required to pay $948,812 in attorney’s fees, plus costs, and $10,000 service awards to the two named plaintiffs. Additionally, the defendant has agreed to change its disclosures and will “forgive and release any claims it may have to collect any at-issue fees which were assessed by [defendant] but not collected and subsequently charged-off, totaling approximately $2,300,000.”

    Courts State Issues New York Overdraft NSF Fees Consumer Finance Credit Union Settlement Class Action EFTA Regulation E

  • 4th Circuit upholds sanctions against debt relief operation

    Courts

    On June 23, the U.S Court of Appeals for the Fourth Circuit upheld a default judgment entered against a debt relief operation and related individuals accused of violating the TCPA and the West Virginia Consumer Credit and Protection Act (WVCCPA). Plaintiff-appellee alleged she received multiple telemarketing phone calls regarding debt relief offered through lower interest rates on credit cards from the defendants (including the appellants). During discovery, defendants allegedly engaged in “evasive discovery tactics” and “relentless sandbagging,” which resulted in a magistrate judge entering multiple orders to compel. Defendants allegedly continued to call the plaintiff-appellee for more than a year after she filed her initial complaint. Additional defendants (including some of the appellants) were added via amended complaints as she discovered defendants had allegedly “formed a vast and complex web of corporate entities.”

    The district court eventually sanctioned the appellants and struck their defenses for, among other things, engaging in a “pattern of concealing discoverable material” and failing to obey court orders. Appellants filed a motion for reconsideration, claiming the sanctions were too harsh and came as a surprise, the discovery abuses were “inadvertent,” and the plaintiff-appellee had not been prejudiced. Plaintiff-appellee then filed a renewed motion for sanctions outlining continued violations by appellants. Eventually, the district court entered a default judgment against the appellants for failing “to respond fulsomely and accurately to discovery requests and to comply with court orders pertaining to those requests.” The sanctions imposed an $828,801.36 judgment plus costs.

    On appeal, the 4th Circuit concluded the district court did not abuse its discretion in finding appellants acted in bad faith and entered default judgment against them. The appellate court explained that there are certain circumstances, including this action, “where the entry of default judgment against a defendant for systemic discovery violations is the natural next step in the litigation, even without an explicit prior warning from the district court.” The appellate court further concluded the record contradicted each of the appellants’ arguments and held appellants “had fair ‘indication that sanctions might be imposed against [them]’ for their continued discovery and scheduling order violations.” With respect to appellants’ arguments that the district court awarded damages for the same purported calls pursuant to both the TCPA and the WVCCPA, the 4th Circuit found that penalties under these statutes are not exclusive and that they separately penalize different violative conduct. “[D]amages under the WVCCPA may be awarded in addition to those under the TCPA for a single communication that violates both statutes,” the appellate court wrote, adding that a plaintiff can also “recover separate penalties under separate sections of the TCPA even if the violations occurred in the same telephone call.”

    Courts State Issues Appellate Fourth Circuit West Virginia TCPA Debt Relief Consumer Finance

  • Split 9th Circuit: Nevada’s medical debt collection law is not preempted

    Courts

    The U.S. Court of Appeals for the Ninth Circuit recently issued a split decision upholding a Nevada medical debt collection law after concluding the statute was neither preempted by the FDCPA or the FCRA, nor a violation of the First Amendment. SB 248 took effect July 1, 2021, in the wake of the Covid-19 pandemic, and requires debt collection agencies to provide written notification to consumers 60 days “before taking any action to collect a medical debt.” Debt collection agencies are also barred from taking any action to collect a medical debt during the 60-day period, including reporting a debt to a consumer reporting agency.

    Plaintiffs, a group of debt collectors, sued the Commissioner of the Financial Institutions Division of Nevada’s Department of Business and Industry after the bill was enacted, seeking a temporary restraining order and a preliminary injunction. In addition to claiming alleged preemption by the FDCPA and the FCRA, plaintiffs maintained that SB 248 is unconstitutionally vague and violates the First Amendment. The district court denied the motion, ruling that none of the arguments were likely to succeed on the merits.

    In agreeing with the district court’s decision, the majority concluded that SB 248 is not unconstitutionally vague with respect to the term “before taking any action to collect a medical debt” and that any questions about what constitute actions to collect a medical debt were addressed by the statute’s implementing regulations. With respect to whether SB 248 violates the First Amendment, the majority held that debt collection communications are commercial speech and thus not subject to strict scrutiny. As to questions of preemption, the majority determined that SB 248 is not preempted by either the FDCPA or the FCRA. The majority explained that furnishers’ reporting obligations under the FCRA do not include a deadline for when furnishers must report a debt to a CRA and that the 60-day notice is not an attempt to collect a debt and therefore does not trigger the “mini-Miranda warning” required in a debt collector’s initial communication stating that “the debt collector is attempting to collect a debt.”

    The third judge disagreed, arguing, among other things, that the majority’s “position requires setting aside common sense” in believing that the FDCPA does not preempt SB 248 because the 60-day notice is not an action in connection with the collection of a debt. “The only reason that a debt collector sends a Section 7 Notice is so that he can later start collecting a debt,” the dissenting judge wrote. “It is impossible to imagine a situation where a debt collector would send such a notice except in pursuit of his goal of ultimately obtaining payment for (i.e., collecting) the debt.” The dissenting judge further argued that by delaying the reporting of unpaid debts, SB 248 conflicts with the FCRA’s intention of ensuring credit information is accurately reported.

    Courts State Issues Appellate Ninth Circuit Debt Collection Medical Debt Nevada FDCPA FCRA Covid-19 Credit Reporting Agency

Pages

Upcoming Events