Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 12, the U.S. District Court for the Northern District of Illinois granted plaintiff’s motion to remand a debt collection class action lawsuit back to state court. The plaintiff claimed the defendants violated the Illinois Collection Agency Act and FDCPA Section 1692c(b) by using a third-party mailing vendor to print and mail collection letters to class members. According to the plaintiff’s complaint filed in state court, conveying the information to the vendor—an allegedly unauthorized party—served as a communication under the FDCPA. The defendants removed the case to federal court, but on review, the court determined the plaintiff did not have Article III standing to sue because Congress did not intend to prevent debt collectors from using mail vendors when the FDCPA was enacted. Specifically, the court disagreed with the U.S. Court of Appeals for the Eleventh Circuit’s decision in Hunstein v. Preferred Collection & Management Services, which held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” (Covered by InfoBytes here.) In this case, the court stated it “is difficult to imagine Congress intended for the FDCPA to extend so far as to prevent debt collectors from enlisting the assistance of mailing vendors to perform ministerial duties, such as printing and stuffing the debt collectors’ letters, in effectuating the task entrusted to them by the creditors—especially when so much of the process is presumably automated in this day and age.” According to the court, “such a scenario runs afoul of the FDCPA’s intended purpose to prevent debt collectors from utilizing truly offensive means to collect a debt.”
On October 8, the New York governor signed S737A, which requires creditors and debt collectors to clearly and conspicuously disclose to a debtor that communications are available in alternative formats. Among other things, the bill requires that creditors and debt collectors: (i) be assessed a civil penalty of up to $250 for violations of the law and up to $500 for each subsequent violation; and (ii) supply a phone number for consumers to request the letter in an alternative format. The bill also defines “communication,” “debt,” and “debt collector.”
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the HIPAA Security Rule by removing administrative and technological safeguards for protected health information (PHI) and electronic PHI (ePHI). The settlement resolves allegations that the defendant’s data breach allowed instances, between August 2016 and January 2017, of unauthorized access to the defendant’s network, which permitted at least one intruder to access consumer ePHI. Among other things, the defendant’s alleged violations include failing to: (i) ensure the confidentiality, integrity, and availability of ePHI; (ii) implement a mechanism to encrypt ePHI; (iii) review and modify security measures; (iv) implement proper procedures for creating, changing, and safeguarding passwords; and (v) implement verification procedures. According to the consent order, the defendant must pay $412,300 in civil penalties and $82,700 in investigative costs and attorney fees. The defendant is also required to implement extensive reforms to its data security system and encryption protocols to protect clients' PHI and prevent future breaches.
Earlier this year, the Hawaii governor signed HB 1192, which amends certain provisions related to small dollar lending requirements. Specifically, the bill sets forth a new licensing requirement for “installment lenders” and specifies various consumer protection requirements. The bill defines installment lender broadly as “any person who is the business of offering or making a consumer loan, who arranges a consumer loan for a third party, or who acts as an agent for a third party, regardless of whether the third party is exempt from licensure under this chapter or whether approval, acceptance, or ratification by a third party is necessary to create a legal obligation for the third party, through any method including mail, telephone, the Internet, or any electronic means.” This language appears to capture loans offered under a bank partnership model under the purview of the new law.
Further, the bill: (i) caps installment loan amounts at $1,500, and restricts the total amount of changes to no more than 50 percent of the principal loan amount; (ii) limits monthly maintenance fees to between $25 and $35 depending on the installment loan’s original principal amount; (iii) stipulates that the minimum repayment term is two months for installment loans of $500 or less, or four months for loans of $500.01 or more; (iv) states that lenders must “accept prepayment in full or in part from a consumer prior to the loan due date and shall not charge the consumer a fee or penalty if the consumer opts to prepay the loan; provided that to make a prepayment, all past due interest and fees shall be paid first; (v) prohibits a consumer’s repayment obligations to be secured by a lien on real or personal property; (vi) prohibits lenders from requiring consumers to purchase add-on products such as credit insurance; (vii) provides that the maximum contracted repayment term of an installment loan is 12 months; (viii) caps the annual interest rate on installment loans at 36 percent; and (ix) states that any installment loan made without a required license is void (the collection, receipt, or retention of any principal, interest, fees, or other charges associated with a voided loan is prohibited).
The bill exempts certain financial institutions (e.g., banks, savings banks, savings and loan associations, depository and nondepository financial services loan companies, credit unions) from the installment lender licensing requirements.
The bill also repeals existing state law on deferred deposits. While HB 1192 became effective July 1, provisions related to the repeal of the existing law on deferred deposits and installment lender licensing requirements are effective January 1, 2022. License applications will be available via the Nationwide Multistate Licensing System.
On October 4, the California governor signed AB 1320, which requires a licensee to supply a toll-free telephone number on its internet website so that a customer may contact the licensee for customer service issues and receive live customer assistance, in addition to displaying the days and times that the telephone line is operative. Among other things, the bill requires that a telephone number be included in the information contained in a receipt given to a customer at the time of a money transmission transaction. In addition, the bill specifies that the telephone line must be operative “at least 10 hours per day, Monday through Friday, excluding federal holidays.” The bill is effective July 1, 2022.
On October 12, the California Department of Financial Protection and Innovation (DFPI) issued a third draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. In July 2019, California released the first draft of the proposed regulations, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released a second round of modifications in August (covered by InfoBytes here, here, and here). The third modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications:
- Amend several terms including “approved advance limit,” “approved credit limit,” “at the time of extending a specific commercial financing offer,” “benchmark rate,” “broker,” “provider,” and “recipient funds.”
- Define the term “specific commercial financing offer” to mean a written communication to a recipient related to specific payment amounts and costs of financing, but does not include a recipient’s name, address, or general interest in financing.
- Amend certain disclosure requirements and thresholds, including specific circumstances that a provider can disregard when making calculations and disclosures.
- Clarify APR calculation requirements and tolerances and outline disclosure criteria for specifying the amount of financing used to pay down or pay off other amounts owed by a recipient.
- Amend duties and requirements for financers and brokers.
- Amend criteria for specifying the amount of funding a recipient will receive.
Comments on the third modifications must be received by October 27.
Recently, the California governor enacted several state bills relating to consumer financial protection. On October 6, AB 790 was signed, which expands upon provisions of the Consumer Legal Remedies Act that relate to “home solicitations of a senior citizen where a loan encumbers the primary residence of the consumer for purposes of paying for home improvement.” Specifically, the bill extends the Act’s protections to cover loans for assessments under the Property Assessed Clean Energy (PACE) program, or certain provisions regulating PACE under the California Financing Law, such that violations would qualify as unfair methods of competition and unfair or deceptive acts or practices.
On October 6, AB 424 was signed, which enacts the Private Student Loan Collections Reform Act. The bill prohibits a private education lender or loan collector from making a written statement to a debtor attempting to collect a private education loan unless the private education lender or private education loan collector has certain related information to the debt and provides it to the debtor. In addition, among other things, the bill: (i) prohibits a private education lender or private education loan collector from bringing certain legal proceeding to collect a private education loan if the statute of limitations expired; (ii) creates a state-mandated local program by expanding the scope of the crime of perjury; and (iii) makes other provisions related to settlement agreements and payment notification requirements. The bill is effective July 1, 2022.
On October 4, AB 1221 was signed, which specifies that service contract requirements must include certain elements and cancellation policies. Among other things, the bill: (i) requires a service contract to include a clear description and identification of the covered product; (ii) makes a violation of certain provisions of the Electronic and Appliance Repair Dealer Registration Law a misdemeanor; and (iii) specifies “that a service contract may be offered on a month-to-month or other periodic basis and continue until canceled by the buyer or the service contractor and would require a service contract that continues until canceled by the buyer or service contractor to, among other things, disclose to the buyer in a clear and conspicuous manner that the service contract shall continue until canceled by the buyer or service contractor and provide a toll-free number, email address, postal address, and, if one exists, internet website the buyer can use to cancel the service contract.” In addition, by expanding the scope of the crime in violation of the Electronic and Appliance Repair Dealer Registration Law, the bill imposes a state-mandated local program. The law is effective January 1, 2022.
On October 4, AB 1405 was signed, which enacts the Fair Debt Settlement Practices Act. Among other things, the bill: (i) specifies that customers in a debt settlement plan have a window of three days to review disclosures prior to the contract taking effect; (ii) defines “debt settlement provider”; (iii) prohibits unfair, abusive, or deceptive acts or practices from a debt settlement provider and a payment processor when providing certain services; (iii) authorizes a consumer to terminate a contract for debt settlement services at any time without a fee or penalty of any sort by notifying the debt settlement provider; and (iv) authorizes a consumer to bring a civil action for violation.
On October 5, the California governor signed AB 694. The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking “on or after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking.” A previously covered by InfoBytes, last month the CPPA formally called on stakeholders to provide preliminary comments on proposed Consumer Privacy Rights Act rulemaking. However, the CPPA noted that the invitation for comments is not a proposed rulemaking action and stated that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
On October 7, NYDFS announced the first awards from the New York Community Development Financial Institution (CDFI) Fund to support access to safe and affordable banking services in historically underserved and redlined, low-income communities. According to the announcement, with a multi-year $25 million New York state-commitment, the CDFI Fund plans to allocate resources for the growth of CDFIs to assist in the delivery of affordable financial products and services and financial literacy programming to low- and moderate-income New York citizens. In addition, the CDFI Fund will expand “access to capital and technical assistance services for New York State small businesses and non-profit organizations.” In total, 31 CDFIs were selected to receive financial inclusion grants, which totaled nearly $5 million.
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
- Daniel R. Alonso to moderate an interactive roundtable at the Latin Lawyer and GIR Connect: Anti-Corruption & Investigations Conference
- APPROVED Checkpoint Webcast: You have license renewal questions, we have answers
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek