InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Minnesota further regulates payday loans
On May 24, Minnesota enacted SF 2744 (the “Act”) to amend several sections of the state statutes relating to payday loans. Among other things, Section 47.603 has been added to create barriers for payday lenders charging annual interest rates of more than 36 percent and to require payday lenders to assess the borrower’s ability to repay a payday loan or payday advance.
The provisions specify an ability to repay analysis, which requires a payday lender to first determine whether a borrower has the ability to make the loan payment at the end of the loan period. The Act further explains that a “payday lender’s ability to repay determination is reasonable if, based on the calculated debt-to-income ratio for the loan period, the borrower can make payments for all major financial obligations, make all payments under the loan, and meet basic living expenses during the period ending 30 days after repayment of the loan.” Additionally, amendments replace past provisions for charges in lieu of interest, with an umbrella policy for any consumer small loan with an annual percentage rate of up to 50 percent that bans lenders from adding any additional charges or payments in connection with the loan.
The amendments will apply to “consumer small loans” and “consumer short-term loans,” as defined by the Act, originated on or after January 1, 2024.
Florida enacts privacy legislation; requirements focus on digital industry
On June 6, the Florida governor approved SB 262 to create the Florida Digital Bill of Rights (FDBR) and establish a framework for controlling and processing consumer personal data in the state, applicable only to companies that meet certain criteria and bring in global gross annual revenues of more than $1 billion. Specifically, the FDBR applies to “controllers,” or any person that conducts business in Florida, collects personal data about consumers (or is an entity on behalf of which this information is collected), determines the purposes and means of processing consumers’ personal data (alone or jointly with other entities), meets the revenue minimum, and satisfies at least one of the following criteria: (i) derives at least 50 percent of global gross revenue from the sale of online advertisements (including targeted advertising); (ii) operates a consumer smart speaker and voice command component service; or (iii) operates an app store or a digital distribution platform offering a minimum of 250,000 unique software applications available for download. The FDBR outlines exemptions, including exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as certain covered entities governed by the Health Insurance Portability and Accountability Act.
- Consumer rights. Under the FDBR, Florida consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and to access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The FDBR also adds biometric data and geolocation information to the definition of personal information.
- Controllers’ responsibilities. Data controllers under the FDBR will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) securing personal data and implementing appropriate data security protection practices; (v) not processing data in violation of state or federal anti-discrimination laws; (vi) obtaining consumer consent in order to process sensitive data (consent may be revoked at any time); (vii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (viii) providing clear privacy notices. The FDBR also sets forth obligations relating to contracts between a controller and a processor.
- No private cause of action but enforcement by the Florida Department of Legal Affairs. The FDBR explicitly prohibits a private cause of action. Instead, it grants the department exclusive authority to bring actions under the Florida Deceptive and Unfair Trade Practices Act and seek penalties of up to $50,000 per violation, which may be tripled for any violation involving a child under the age of 18 for which the online platform has actual knowledge. The department is also granted authority to adopt rules to implement the FDBR.
- Right to cure. Upon discovering a potential violation of the FDBR, the department must give the controller written notice. The controller then has 45 days to cure the alleged violation before the department can file suit.
Minor children are also afforded specific protections under the FDBR, including prohibiting online platforms that provide services or features to children from processing children’s personal information or from collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature. Additionally, the FDBR includes provisions addressing political ideology and government-led censorship.
The FDBR takes effect July 1, 2024.
Florida now joins nine other states in enacting comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana.
More states targeting commercial financing disclosures
Several states are moving forward on legislation relating to commercial financing disclosures. While Georgia is the most recent state to require disclosures in connection with commercial financing transactions of $500,000 or less (covered by InfoBytes here), additional states, including Connecticut and Florida, are moving bills through the legislature that would also impose several requirements on commercial financing lenders and providers.
Awaiting the governor’s signature, Connecticut SB 1032 would require certain providers of commercial financing to make various disclosures, with violators being subject to civil penalties. The requirements are applicable to sales-based financing in amounts of $250,000 or less. A “provider” is defined by the bill as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” The bill establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions. Providers may also be able to rely on a statement of intended purpose made by the “recipient” – which is defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider” – to determine whether the financing is commercial financing. Additionally, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the bill. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The bill also discusses conditions and criteria for when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted.
The bill further provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Finally, the banking commissioner also is authorized to adopt regulations to carry out the bill’s provisions. Notably and unique to Connecticut is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner in addition to adhering to the prescribed disclosure requirements. No later than October 1, 2024, providers and brokers must abide by certain application requirements and pay registration fees. If enacted, Connecticut’s requirements would take effect July 1, 2024.
Similarly, Florida also moved legislation during the 2023 session related to commercial financing that would have created the Florida Commercial Financing Disclosure Law. Among other things, HB 1353 would have required covered providers to provide specified disclosures for commercial financing transactions in amounts of $500,000 or less and would have established unique broker requirements. Florida’s session ended May 5.
California imposes CLRA advertising requirements
Covered entities in California are reminded that Section 1770 of the Consumer Legal Remedies Act requires persons offering or providing a consumer financial service or product to include certain language when making solicitations. As previously covered by InfoBytes, AB 1904 was enacted last year to amend Section 1770 of the Civil Code relating to unfair methods of competition and unfair or deceptive acts. The amended code prohibits a covered person or a service provider from engaging in unlawful, unfair, deceptive, or abusive acts or practices regarding a consumer financial product or service, such as: (i) misrepresenting the source, sponsorship, approval, or certification; (ii) advertising goods or services with the intent not to sell them as advertised; and (iii) making false or misleading statements of fact concerning reasons for, the existence of, or amounts of, price reductions. The amendments authorize the California Department of Financial Protection and Innovation to bring a civil action for a violation of the law, and make unlawful the failure to include certain information, including a prescribed disclosure, in a solicitation by a covered person, or an entity acting on behalf of a covered person, to a consumer for a consumer financial product or service. Specifically, Cal. Civ. Code § 1770(a)(28) requires covered persons to include the following language in solicitations:
- “The name of the covered person, and, if applicable, the entity acting on behalf of the covered person, and relevant contact information, including a mailing address and telephone number.”
- “The following disclosure statement in at least 18-point bold type and in the language in which the solicitation is drafted: ‘THIS IS AN ADVERTISEMENT. YOU ARE NOT REQUIRED TO MAKE ANY PAYMENT OR TAKE ANY OTHER ACTION IN RESPONSE TO THIS OFFER.’”
The requirements took effect at the beginning of the year.
Colorado limits out-of-state bank charges on consumer credit
On June 6, the Colorado governor signed HB 23-1229 (the “Act”) to amend the state’s Uniform Consumer Credit Code (UCCC). Specifically, Colorado has invoked its right under the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) to opt out of a provision that allows state-chartered banks to preempt state interest rates applicable to consumer credit transactions. Sections 521-523 of DIDMCA currently allow state-chartered banks to charge the interest allowed by the state where they are located, regardless of where the borrower is located and regardless of conflicting out-of-state law. Section 525, however, provides states with the authority to opt out of these sections.
Modifications to the UCCC impact requirements for alternative charges for loans not exceeding $1,000, and include the following changes:
- Reduces the permissible acquisition charge on the original loan or any refinanced loan from 10 to eight percent of the amount financed;
- Reduces permissible monthly installment account handling charges based on categories of the amount financed;
- Increases the minimum loan term from 90 days to six months;
- Removes the ability for a lender to charge a delinquency charge on a loan;
- Amends provisions relating to the conditions upon which an acquisition charge must be refunded to a consumer; and
- Limits the number of times a lender can refinance a consumer loan to once a year.
The amendments take effect July 1, 2024, and only apply to consumer credit transactions made after that date.
Maryland says shared appreciation agreements are mortgage loans
The Maryland governor recently signed HB 1150 (the “Act”), which subjects certain shared appreciation agreements (SAAs) to the Maryland Mortgage Lender Law. Under the Act, the term “loan” now “includes an advance made in accordance with the terms of a shared appreciation agreement.” An SAA is defined by the Act to mean “a writing evidencing a transaction or any option, future, or any other derivative between a person and a consumer where the consumer receives money or any other item of value in exchange for an interest or future interest in a dwelling or residential real estate, or a future obligation to repay a sum on the occurrence of [certain] events,” such as an ownership transfer, a repayment maturity date, a consumer’s death, or other events. The Act specifies that a loan is subject to the state’s mortgage lender law if the loan is an SAA and “allows a borrower to repay advances and have any repaid amounts subsequently readvanced to the borrower.”
Interim guidance released by the Maryland Commissioner of Financial Regulation further clarifies that SAAs are mortgage loans, and that those who offer SAAs to consumers in the state are required to obtain a Maryland mortgage lender licensing unless exempt. Under the Act, the commissioner will issue regulations addressing enforcement and compliance, including SAA disclosure requirements. The Act takes effect July 1. However, for SAA applications taken on or after July 1 (and until regulations are promulgated and effective), the commissioner will not cite a licensee for disclosure requirement violations, provided the licensee makes a good faith effort to give the applicant specified information within ten days of receiving an application. Licensees will be required to provide the information again at least 72 hours before settlement if the actual terms of the SAA differ from those provided in the initial disclosure.
Agencies propose ROV guidance
On June 8, the CFPB joined the Federal Reserve Board, FDIC, NCUA, and the OCC to request comments on proposed interagency guidance relating to reconsiderations of value (ROV) for residential real estate valuations. The proposed guidance advises financial institutions on policies that would afford consumers an opportunity to introduce evidence that was not previously considered in the original appraisal. The proposal references the occurrence of “deficiencies” in real estate valuations, which can be due to errors or omissions, valuation methods, assumptions, or other factors. According to the proposed guidance, these kind of valuation deficiencies can “prevent individuals, families, and neighborhoods from building wealth through homeownership by potentially preventing homeowners from accessing accumulated equity, preventing prospective buyers from purchasing homes, making it harder for homeowners to sell or refinance their homes, and increasing the risk of default.” Also noted is the risk non-credible valuations pose to financial institutions, which may lead to loan losses, violations of law, fines, civil money penalties, damages, and civil litigation.
The proposed guidance (i) provides direction on how ROVs overlap with appraisal independence requirements and compliance with relative laws and regulations; (ii) identifies how financial institutions can implement and improve existing ROV policies while remaining compliant with regulations, preserving appraiser independence, and being responsive to consumers; (iii) explains how deficiencies can pose risk to financial institutions and describes how ROV policies should be factored into risk management functions; and (iv) provides examples of ROV policies, procedures, control systems, and complaint processes to address deficient valuations.
Comments on the proposed guidance are due within 60 days of publication in the Federal Register.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
FTC seeks to work with states on combatting fraud
On June 7, the FTC announced it is soliciting public comments on how the Commission can work more effectively with state attorneys general to prevent and inform consumers about potential fraud. The FTC said in its announcement that the agency and the AGs share a common mission to protect the public from “deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.” The request for public comments comes as a result of the FTC Collaboration Act of 2021 (the “Act”), which requires the Commission to not only solicit public comments, but also to consult directly with interested stakeholders. Signed into law last year, the Act directs the FTC to conduct a study on how to streamline and leverage the relationship between the Commission and the AGs to better protect Americans from fraud and hold those committing malicious acts accountable. The FTC requests comments specifically regarding: (i) the roles and responsibilities of the Commission and AGs that best advance collaboration and consumer protection; (ii) how resources should be dedicated to further such collaboration and consumer protection; and (iii) the accountability mechanisms that should be implemented to promote collaboration and consumer protection between the FTC and AGs.
The completed report will be submitted to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation. Comments are due 60 days after publication in the Federal Register.
CFPB revises supervision and examination manual
On June 5, the CFPB revised its Supervision and Examinations Manual to incorporate minor changes for larger participants under “Module 7 - Consumer Alerts, Identity Theft, and
Human Trafficking Provisions.” The updates specifically included FCRA and Regulation V requirements that prohibit credit reporting agencies (CRAs) from including information in consumer reporting in cases of human trafficking. Notably, the final rule regarding credit reporting on human trafficking victims was issued in 2022 (previously covered by InfoBytes here). The CFPB also stated that all CRAs must “establish and maintain written policies and procedures reasonably designed to ensure and monitor the compliance of the consumer reporting agency and its employees with the requirements of 12 CFR 1022.142.”