InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
Crypto lender to provide refunds to Californians
On March 27, the California Department of Financial Protection and Innovation (DFPI) announced that a New Jersey-based crypto lending platform has agreed to provide more than $100,000 in refunds to California residents. The refunds, subject to bankruptcy court approval, stem from the lender’s conduct following the collapse of a major crypto exchange last November. As previously covered by InfoBytes, in December, DFPI moved to revoke the lender’s California Financing Law license following an examination, which found that the lender “failed to perform adequate underwriting when making loans and failed to consider borrowers’ ability to repay these loans, in violation of California’s financing laws and regulations.” At the time the lender announced it was limiting platform activity and pausing client withdrawals. The lender eventually filed a petition for chapter 11 bankruptcy. An investigation also revealed that due to the lender’s failure to timely notify borrowers that they could stop repaying their loans, borrowers remitted at least $103,471 in loan repayments to the lender’s servicer while they were unable to withdraw funds and collateral from the platform. A hearing on the lender’s petition to direct its servicer to return borrowers’ loan repayments is scheduled for April 19.
The lender agreed to an interim suspension of its lending license while the bankruptcy and revocation actions are pending. It also agreed to a final order to discontinue unsafe or injurious practices, as well as a desist and refrain order. Among other things, the lender has agreed to continue to direct its agents to pause collection of repayments on loans belonging to California residents while its license is suspended (including turning off autopay), will continue to set interest rates to 0 percent, and continue to not levy any late fees associated with any payments or report any loans that became delinquent or defaulted on or after November 11, 2022, to credit reporting agencies while the bankruptcy and revocation actions are pending.
Kentucky modifies allowable charges on consumer loans
On March 29, Kentucky enacted SB 165 to amend Kentucky code to modify permitted loan charges for consumer loan companies. Specifically, licensees may make loans up to $15,000, excluding charges; however, the original principal amount determines how much a licensee may charge, contract for, and receive on a loan. For loans with an original principal amount under $5,000, a licensee may charge up to 3 percent per month on the original principal of the loan, as well as on any charges, including fees, costs, expenses, or other amounts authorized by the act on the loan contract. Licensees may charge 2.42 percent on loans between $5,000 and $10,000, and 2.25 percent on loans exceeding $10,000. Additionally, every loan payment may now “be applied to the face amount of the note until the loan contract is paid in full.” The amendments also stipulate that a licensee is not allowed to “induce or permit a person to become obligated to the licensee, directly or contingently, or both under any loan contract entered into within [10] days of the origination of another loan contract with the same person for the purpose or with the result of obtaining charges.” Moreover, should a licensee make a second or subsequent loan to a person outside of the 10-day period, “the licensee shall not be required to limit the loan charges to the aggregate amount of what the loans combined would dictate under this subtitle.” For borrowers that request loan funding in a manner other than a physical check, a licensee may charge a $3 funding fee per loan for distributing the proceeds in the manner requested by the borrower. The amendments are effective 90 days after adjournment of the legislature.
Iowa establishes refund requirements for voluntary debt cancellation coverage
On March 22, the Iowa governor signed HF 133 relating to refund payments made in connection with motor vehicle debt cancellation coverage. The act provides that if a creditor is a financial institution, as defined in the Iowa consumer credit code or the Gramm-Leach-Bliley Act, and purchases a retail installment contract with voluntary debt cancellation coverage, “the only obligation of the creditor upon prepayment in full shall be to notify the motor vehicle dealer within thirty days of the prepayment.” It is the motor vehicle dealer’s responsibility to promptly determine whether a consumer is eligible to receive a refund of any voluntary debt cancellation coverage. Any refunds must be issued directly to the consumer within 60 days of the dealer receiving notice of prepayment from the creditor. The act is effective July 1.
Virginia credit unions may offer virtual currency custody
On March 23, the Virginia governor signed HB 1727, which amends the Virginia code to allow credit unions operating in the commonwealth to engage in virtual currency custody services, provided the credit union “has adequate protocols in place to effectively manage risks and comply with applicable laws and, prior to offering virtual currency custody services, the credit union has carefully examined the risks in offering such services through a methodical self-assessment process.” The amendments stipulate that in order to engage in such services, a credit union must implement effective risk management systems and controls, confirm adequate insurance coverage, and maintain a service provider oversight program.
The amendments further provide that a credit union may offer such services in a fiduciary or nonfiduciary capacity; however, in order to provide virtual currency custody services in a fiduciary capacity, the credit union must first obtain approval from the State Corporation Commission. Commission approval is contingent upon a credit union having sufficient capital structure to support providing such services, credit union personnel being adequately trained to ensure compliance with governing laws and regulations, and that granting such authority is in the public interest. The amendments are effective July 1.
DFPI releases more proposed CCFPL modifications on complaints and inquiries
On March 23, the California Department of Financial Protection and Innovation (DFPI or the Department) released a second round of modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) (b), and (d)(2)(D) of the CCFPL. Subdivisions (a) and (b) authorize the DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and the DFPI concerning consumer complaints and inquiries, and subdivision (d)(2)(D) permits covered persons to withhold certain non-public or confidential information when responding to consumer inquiries. The first round of proposed modifications to the NPRM was released in December (covered by InfoBytes here).
DFPI considered comments received on the initially proposed text and the proposed modifications and is now proposing the following additional changes:
- Applicability. The proposed modifications clarify that Sections 1072, 1073, and 1074 apply only to covered persons required to be licensed by the DFPI or registered with the DFPI “pursuant to Financial Code sections 90009 and 90009.5, including any rules promulgated thereunder.”
- Amended definitions. The proposed modifications add an additional exclusion from the definition of “complaint[,]” excluding a “notice of error filed with a remittance transfer provider.” “Complainant” is amended to clarify that it does not include individuals who are not residents of California at the time “the act, omission, decision, condition, or policy giving rise to the complaint was applied to the consumer.”
- Complaint processes and procedures. Among other things, the proposed modifications add requirements that (i) covered persons issue initial and annual disclosures to California residents that include the procedures for filing a complaint; (ii) the main home page or main contact page include the set hours a live representative is normally available to accept oral complaints; (iii) all written communications—not just the final decision—related to a complaint must be submitted in the language in which the contract was negotiated; and (iv) make changes to DFPI’s annual complaint report requirements, including a new category related to nuisance complaints.
Comments are due April 7.
FDIC orders neobank to stop fraudulent deposit insurance representations
On March 27, the FDIC sent a letter to a neobank demanding that it stop making false or misleading representations about FDIC deposit insurance and take immediate corrective action to address these statements. The FDIC maintained that the neobank and/or its officers made false and misleading statements in English and Spanish suggesting that it is FDIC-insured and that FDIC insurance will protect customers’ cryptocurrency assets. The FDIC explained in the letter that not only is the neobank not FDIC-insured, the FDIC does not insure crypto assets. “By not distinguishing between US-dollar deposits and crypto assets, the statements imply FDIC insurance coverage applies to all customer funds (including crypto assets),” the letter said. Moreover, the neobank also failed to “clearly and conspicuously identify an insured deposit institution for placement of deposits,” the FDIC said in its announcement. Under the Federal Deposit Insurance Act, the announcement added, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.” The FDIC requested a response within 15 days.
CFPB: TILA does not preempt state commercial financial disclosures
On March 28, the CFPB issued a determination that state disclosure laws covering lending to businesses in California, New York, Utah, and Virginia are not preempted by TILA. The preemption determination confirms a preliminary determination issued by the Bureau in December, in which the agency concluded that the states’ statutes regulate commercial financing transactions and not consumer-purpose transactions (covered by InfoBytes here). The Bureau explained that a number of states have recently enacted laws requiring improved disclosure of information contained in commercial financing transactions, including loans to small businesses. A written request was sent to the Bureau requesting a preemption determination involving certain disclosure provisions in TILA. While Congress expressly granted the Bureau authority to evaluate whether any inconsistencies exist between certain TILA provisions and state laws and to make a preemption determination, the statute’s implementing regulations require the agency to request public comments before making a final determination. In making its preliminary determination last December, the Bureau concluded that the state and federal laws do not appear “contradictory” for preemption purposes, and that “differences between the New York and Federal disclosure requirements do not frustrate these purposes because lenders are not required to provide the New York disclosures to consumers seeking consumer credit.”
After considering public comments following the preliminary determination, the Bureau again concluded that “[s]tates have broad authority to establish their own protections for their residents, both within and outside the scope of [TILA].” In affirming that the states’ commercial financing disclosure laws do not conflict with TILA, the Bureau emphasized that “commercial financing transactions to businesses—and any disclosures associated with such transactions—are beyond the scope of TILA’s statutory purposes, which concern consumer credit.”
SEC proposes to expand EDGAR filings
On March 22, the SEC proposed amendments intended to “modernize” filing procedures through the use of electronic filings on EDGAR using structured data as appropriate. (See also SEC fact sheet here.) Currently, registrants must submit many forms required by the Securities Exchange Act, as well as other materials and submissions, in paper form. The proposed rule would require covered self-regulatory organizations (SROs) to submit these filings electronically, and would apply to national securities exchanges, national securities associations, clearing agencies, broker-dealers, security-based swap dealers, and major security-based swap participants. The proposed rule also would require SROs to make certain submissions in a structured, machine-readable data language, and would amend certain provisions regarding the Financial and Operational Combined Uniform Single Report to harmonize it with other rules, make technical corrections, and provide clarifications. Additionally, the announcement noted that the proposed rule would require, in certain circumstances, withdrawal of notices “filed in connection with an exception to counting certain dealing transactions toward determining whether a person is a security-based swap dealer.” Comments on the proposed rule will be accepted 30 days after publication in the Federal Register or until May 22, whichever is later.
FTC to ban auto warranty operation
On March 24, the FTC announced that a Florida-based group of operators (defendants) faces a permanent ban from the extended automobile warranty industry and will be barred from any further involvement in outbound telemarketing. As previously covered by InfoBytes, the defendants allegedly violated the FTC Act and the Telemarketing Sales Rule by allegedly engaging in deceptive practices when marketing and selling automobile warranties. According to the FTC, the defendants, among other things, (i) misrepresented their affiliation with consumers’ car dealers or manufacturers; (ii) misrepresented warranty coverage; (iii) falsely promised consumers they could obtain a full refund if they cancelled within 30 days; (iv) used remotely created checks, which are illegal in telemarketing transactions; and (v) placed unsolicited calls to numbers on the do not call registry. The proposed stipulated order for permanent injunction, filed in the U.S. District Court for the Southern District of Florida, would require the defendants to pay a $6.6 million monetary judgment and would impose a permanent industry ban. However, the monetary judgment is largely suspended based on the defendants’ inability to pay.