InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Michigan requires annual reporting on payday lending from director
On May 22, Michigan enacted HB 4343 (the “Act”) to include new reporting requirements regarding payday lending for the director or the Michigan Department of Insurance and Financial Services (the Department). By October 31 of each year, from 2025 to 2031, the director of the Department must submit a report to the relevant senate and house committees tasked with the oversight of banking and financial services issues. The report must cover various aspects of the payday lending business in the state, including the number of licensed providers, program fees received by the Department, and local and statewide statistics on provider locations, transaction volumes and amounts, and customer usage patterns. The Act will require the Department to include the names and addresses of all licensees, the number of complaints filed against both licensees and non-licensees arising from transactions conducted in the state, and any additional information deemed relevant by the director. According to the Act, the purpose of this reporting will be to enforce and regulate the payday lending industry. The Act will go into effect after the 91st day after the final adjournment of the 2024 regular session.
NYDFS issues loss mitigation guidance for property insurance
On May 23, NYDFS issued Insurance Circular Letter No. 3 (2024) which encouraged all insurers – authorized to write property/casualty insurance in New York – to offer loss mitigation tools and services to the insured for free or at a reduced fee. Insurers are encouraged to offer devices like smart water monitors and provide discounts for the installation of loss prevention systems, such as smoke alarms and sprinkler systems. Additionally, the letter reminded insurers of their obligation to provide an actuarially appropriate reduction in rates for the installation of hurricane/storm shutters and hurricane-resistant windows and doors. It opined that any such tools or services offered by an insurer that are $25 or less in market value need not be specified in the insurance policy, while those exceeding $25 must be. This initiative, the letter stated, will aim to create a more affordable and resilient insurance market.
Colorado enacts consumer protections for artificial intelligence
On May 17, Colorado enacted SB 24-205 (the “Act”) concerning consumer protections in interactions with artificial intelligence (AI) systems. The Act requires developers of “high-risk” AI systems—defined as AI systems that make “consequential” decisions relating to education, employment, financial or lending services, housing, or insurance, etc.—to take reasonable care to protect consumers from “any known or reasonably foreseeable risks of algorithmic discrimination” that could arise from the use of such systems. The Act grants the Attorney General (AG) rule-making authority to implement and enforce the associated requirements.
Beginning in February 2026, developers must provide deployers with comprehensive documentation comprising a general statement of the AI system’s foreseeable uses and known harmful or inappropriate applications, high-level summaries of the training data, known or reasonably foreseeable limitations and risks, the system’s purpose, and its intended benefits and uses. Furthermore, developers must share how the AI system was evaluated for performance and algorithmic discrimination mitigation, the data governance measures applied to its data sets and sources, the intended outputs, the measures taken to mitigate risks, and the guidelines on the proper use and monitoring of the system.
Developers must share publicly a summary statement on their website or in a public use case inventory summarizing the types of high-risk AI systems that developers have developed or substantially modified and how they manage the potential risks of algorithmic discrimination associated with these systems. Additionally, deployers of high-risk AI systems must notify consumers of a system’s involvement in significant decision making, allow consumers to correct inaccurate personal data, and establish an appeal process for adverse determinations which, if technically feasible, allows for human review.
Finally, developers of high-risk AI systems are required to disclose any known or reasonably foreseeable risks of algorithmic discrimination to the AG and all known deployers or other developers of the system. Such disclosure must occur without unreasonable delay and no later than 90 days after a developer becomes aware of the risk. Furthermore, under the Act, the AG has the authority to request documentation or statements from developers to ensure compliance.
Colorado extends and amends law for debt-management service providers
On May 22, the Governor of Colorado approved HB 1251 (the “Act”) which will extend the regulation of debt-management service providers through September 1, 2035 (without legislative action, the relevant law would have been repealed on September 1 of this year). The Act will require debt-management service providers to provide personal finance management education to consumers and keep records of such education, require settlements between a consumer and creditor to be made in writing, and allow the Colorado Attorney General’s office to use the administrative process (instead of the rulemaking process) to establish reasonable fees to be paid by debt-management service providers. The Act will go into effect 90 days following the adjournment of the state assembly, provided no referendum would be filed.
Colorado enacts insurance proceeds disbursement requirements for mortgage servicers
On May 20, Colorado enacted HB24-1011 (the “Act”), which predominantly addressed mortgage servicers’ disbursement of insurance proceeds.
The Act states that, upon the borrower’s request, mortgage servicers must disclose the specific conditions under which the servicer will disburse insurance proceeds in the event that the underlying property was damaged and an insurance company paid proceeds to satisfy the claim. Among other requirements, if the borrower is not delinquent or was less than thirty-one days delinquent in respect of his or her mortgage payments, the borrower is responsible for creating a repair or rebuild plan for the mortgaged property and submitting such plan to the mortgage servicer for approval. In turn, the mortgage servicer is responsible for approving or denying a plan within thirty days of receipt. Additionally, the borrower is entitled to reimbursement of certain advance payments made to a contractor or to purchase materials for the repair or rebuild. The Act outlines a different process if a borrower is more than thirty-one days delinquent on a mortgage payment. The Act provides for additional details regarding the disbursement of proceeds, including the amounts of disbursement.
Additionally, the Act provides that (1) mortgage servicers must disclose, among other items of information, the mortgage interest associated with mortgages upon the commencing of servicing and thereafter as the request of the borrower, and (2) a mortgage servicer must keep all communications with a borrower for at least four years. The Act became effective upon passage.
Minnesota amends list of deceptive practices to include hidden fees
On May 20, the Governor of Minnesota approved HF 3438 (the “Act”) which rewrote two sections of Minnesota’s statutes to 1) redefine the scope of engaging in a deceptive trade practice, and 2) indemnify certain exemptions. Under the revised statute, in Minnesota, a person will engage in a deceptive trade practice when it lists the price of a good or service but does not include all mandatory fees or surcharges. Further, a mandatory fee will include, but is not limited to, a fee that must be paid in order to purchase the goods or services advertised, was not reasonably avoidable by the consumer, or that would be reasonably expected in the purchase of a good or service. A mandatory fee would not include taxes imposed by a government entity. When a consumer would complete a purchase on a delivery platform, the delivery platform must display “in a clear and conspicuous manner” any additional flat fees or percentages which are charged for that purchase. Upon checkout, the delivery platform must display the subtotal and any additional fees added to the total cost. The second amended section referred to exemptions related to lawful fees in association with the purchase or lease of an automobile from a dealership. The Act will go into effect on January 1, 2025.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
Maryland enacts new powers for regulators to examine third parties
On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.
Connecticut becomes latest state to ban medical debts in credit reporting
On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.