InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Maryland amends student financing company registration
On May 8, the Maryland governor signed HB 913 to amend certain provisions relating to student financing company registration and reporting requirements. Among other things, the Act defines the term “student financing company” to mean “an entity engaged in the business of securing, making, or extending student financing products, or any purchaser, assignee, or holder of student financing products.” Student financing companies seeking to provide services in the state will be required to register with the Commissioner of Financial Regulation beginning March 15, 2024. Additionally, the Act provides that a student financing company seeking to renew its registration on an annual basis may be required to pay a fee at the time of renewal. The Act also authorizes the Commissioner to adopt registration procedures for student financing companies, including the use of the Nationwide Multi-State Licensing System and Registry, and may impose certain fees for using the registry. Additionally, the Act makes several technical clarifying provisions to the reporting requirements for student financing companies to be filed with the Commissioner annually on or before March 15. Furthermore, on or before June 15, 2024 (and each June 15 thereafter), information reported by the student financing companies will be available on a publicly accessible website to be developed and maintained by the Commissioner. The Act is effective October 1.
NYDFS proposes vetting guidance for licensed or chartered entities
On May 9, NYDFS Superintendent Adrienne A. Harris released proposed guidance for banking organizations and non-depository financial institutions chartered or licensed under the New York Banking Law concerning the Department’s character and fitness assessment expectations. The proposed guidance sets forth several criteria, including that covered institutions (i) update and modernize policies and procedures to ensure designated persons, including senior officers and governing board members, undergo a robust initial vetting process to make sure no new circumstances or conflicts of interests arise that may compromise the organization; (ii) take a risk-based and proportionate approach to ensure their vetting frameworks are tailored to meet their specific business needs, operations, and risks; (iii) promptly inform NYDFS if, through a character and fitness review, a determination is made that a previously vetted designated person is no longer fit to perform the current function, or if a designated person has been transferred to another position or group (or modifications are made to a designated person’s current functions); and (iv) vet each designated person at the time they become a designated person, regardless of whether the person currently is or previously was a designated person at a different covered institution, including in instances involving a merger or acquisition. The announcement noted that a covered institution’s compliance with the guidance will be reviewed as part of its regular examination framework. Comments on the proposed guidance are due June 30.
FTC obtains TROs to halt student loan debt relief schemes
On May 8, the FTC announced that the U.S. District Court for the Central District of California recently issued temporary restraining orders (TROs) against two student loan debt relief companies that allegedly tricked consumers into paying for nonexistent repayment and loan forgiveness programs. According to the complaints (see here and here), the defendants allegedly made deceptive claims in order to lure low-income consumers into paying hundreds to thousands of dollars in illegal upfront fees as part of a purported plan to pay down their student loans. The defendants allegedly made consumers believe that they were enrolled in a legitimate loan repayment program, that their loans would be forgiven in whole or in part, and that most or all of their payments would be applied to their loan balances. The FTC alleges that, in reality, the defendants pocketed the borrowers’ payments. The FTC also charged the defendants with falsely claiming to be or be affiliated with the Department of Education and stating that they were purchasing borrowers’ debt from federal student loan servicers in order to secure debt relief on their behalf. When consumers realized the debt relief program did not exist, the defendants allegedly often refused to provide refunds.
According to the FTC, these deceptive misrepresentations violated Section 5 of the FTC Act and the Telemarketing Sales Rule (TSR). The FTC also alleges that the companies violated the Gramm-Leach-Bliley Act (GLBA), by using deceptive tactics to obtain consumers’ financial information, and the TSR, by calling numbers listed on the National Do Not Call Registry and by failing to pay required Do Not Call Registry fees for access. In issuing the TROs (see here and here), which temporarily halt the two schemes and freeze the defendants’ assets, the court noted that, upon “[w]eighing the equities and considering the FTC’s likelihood of ultimate success on the merits,” there is good cause to believe that immediate and irreparable harm will occur as a result of the defendants’ ongoing violations of the FTC Act, the TSR, and the GLBA, unless the defendants are restrained and enjoined.
Indiana amends mortgage loan originator licensing requirements
On May 4, the Indiana governor signed SB 452 to amend Indiana code governing financial institutions. Among other things, the Act amends a provision to require the Department of Financial Institutions to adopt emergency rules no later than June 30, 2024, to authorize certain licensees (or certain exempt persons aside from a person that has voluntarily registered with the Department) “to sponsor one (1) or more mortgage loan originators, who are not employees of the sponsoring person, to perform mortgage loan originator activities” provided certain criteria is met. Requirements include that (i) each sponsored person performs mortgage loan originator activities exclusively for the sponsoring person (as provided in a written agreement); (ii) the sponsoring person assumes responsibility for and reasonably supervises the activities of each sponsored mortgage loan originator; (iii) the sponsoring person maintains a bond that covers all sponsored mortgage loan originators; and (iv) each sponsored mortgage loan originator possesses a current, valid insurance producer license as required under state law. The emergency rules must meet the requirements of the Secure and Fair Enforcement for Mortgage Licensing Act of 2008, HUD and CFPB interpretations of that Act, as well as a subsequent amendment provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
State appeals court says electronic bank statement constituted notice of new terms
On May 4, the Colorado Court of Appeals held that a plaintiff had constructive notice of updated terms and conditions in her membership agreement with a defendant credit union, which included an arbitration agreement with an opt-out provision. Plaintiff entered into a finance agreement with an auto dealer, which assigned the agreement to the defendant. To complete the assignment, the plaintiff opened a savings account and signed an agreement, in which she consented to receiving and accepting statements, notices, and disclosures electronically. A few years later, the defendant updated its membership agreement’s terms to include the arbitration provision and sent notices to members with their monthly bank statements. Plaintiff received an email with information about the updates and was given an opportunity to opt-out of the arbitration provision in writing within 30 days. Records show that the plaintiff received the email but did not open it. Defendant filed a motion to dismiss plaintiff’s class action complaint and compel arbitration, but the district court concluded that the plaintiff did not have actual or constructive notice of the arbitration agreement. In reversing the district court’s ruling, the Court of Appeals wrote “we do not deem the notice as being buried or hidden in [defendant’s] email, or the surrounding information as cluttering the screen to the extent that a reasonable person would be distracted from the important notice about the ‘updated ... Membership and Account Agreement.’” The Court of Appeals also disagreed with plaintiff’s argument that her “express and affirmative consent” was required for the defendant to add the arbitration provision to the terms, stating that “[u]nder the totality of the circumstances, [plaintiff] is deemed to have assented to the addition of the arbitration agreement” as she was constructively notified of the change, did not exercise her right to opt out, and continued to use her account.
While concurring with the majority, one of the judges questioned whether the “current ‘reasonable person’ standard that courts use for constructive notice is outdated given the economic realities of the digital age.” The judge asked whether the monthly bank statement has “significantly diminished in importance” or is becoming obsolete since consumers are able to check bank account balances and transactions “at any time and from any location.”
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
Indiana enacts Money Transmission Modernization Act
On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.
With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.
The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.
EU court says non-material damages in unlawful data processing may be eligible for compensation
On May 4, the Court of Justice of the European Union (CJEU) issued a judgment concluding that while not every infringement of the EU’s data protection law gives rise, by itself, to a right to compensation, non-material damage resulting from unlawful processing of data can be eligible for compensation. The CJEU reviewed questions posed by the Austrian Supreme Court on whether a mere infringement of the GDPR is sufficient to confer the right to compensation for individuals suffering non-material damages, and whether such compensation is possible only if the non-material damage suffered reaches a certain degree of seriousness. The Austrian Supreme Court also asked the CJEU to clarify what the EU-law requirements are when determining the amount of damages.
The CJEU clarified that the General Data Protection Regulation (GDPR) does not set thresholds for the “seriousness” of damages needed to confer a right to compensation. “[I]t is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement,” the court said in the announcement. Limiting the right to compensation to non-material damage that reaches a certain threshold requirement would be contrary to the broad conception of “damage” outlined in EU law, the CJEU explained, pointing out that obtaining compensation based on a certain threshold would result in different outcomes depending on a court’s assessment. Moreover, the CJEU emphasized that because the GDPR does not contain any rules governing the assessment of damages, it is up to the each member state’s legal system to prescribe detailed rules for actions intended to safeguard individual’s rights under the GDPR, as well as the criteria for determining the amount of compensation, provided the determination complies with the principles of equivalence and effectiveness. The CJEU explained in its ruling that “an infringement of the GDPR does not necessarily result in damage, and [] that there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation.”