Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB comments on California DFPI licensing provisions, income-based advances

    Agency Rule-Making & Guidance

    On December 1, the CFPB posted a blog entry sharing its comment letter responding to the California DFPI’s notice of proposed rulemaking for “income-based advances” from earlier this year. As previously covered by InfoBytes, the DFPI’s proposed regulations would, among other things, clarify licensing provisions and the applicability of the CFL to certain activities. Within the CFPB’s comment letter, it stressed the importance of regulatory consistency of consumer financial products and services across federal and state law. The letter noted the CFPB’s view that companies offering “income-based advances” (also marketed as “earned wage access”) are subject to federal oversight, and the CFPB supports state oversight of such companies as well. Moreover, the CFPB said that DFPI’s particular treatment of income-based advances takes a similar approach to TILA and Regulation Z and that the CFPB plans to issue further guidance regarding the applicability of TILA to these products. 

    Agency Rule-Making & Guidance CFPB DFPI Consumer Finance California State Regulators CCFPL

  • CPPA continues efforts towards California Privacy Rights Act

    State Issues

    The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).

    Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.

    The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.

    The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.

    State Issues Privacy California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection

  • DFPI finalizes small business UDAAP and data reporting rule

    State Issues

    DFPI recently approved the final regulation for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. After considering comments and releasing three rounds of modifications to Sections 1060, 1061, and 1062, the final regulation will, among other things, bring protections to small businesses seeking loans, by (i) defining and prohibiting unfair, deceptive, and abusive acts and practices in the offering or provision of commercial financing to small businesses, nonprofits, and family farms; and (ii) establishing data collection and reporting requirements.

    Previous InfoBytes coverage on the (i) initial modifications to the CCFPL proposed regulation can be found here; (ii) the second round of CCFPL modifications proposal is found here; and (iii) the third iteration of the modified CCFPL proposal is located here.

    This DFPI regulation was notably finalized on the heels of the CFPB’s finalized Section 1071 rule on small business lending data, which similarly will require financial institutions to collect and provide the Bureau data on lending to small businesses (covered by InfoBytes here)

    Sections 1060, 1061, and 1062 will be effective on October 1.

    State Issues Agency Rule-Making & Guidance State Regulators DFPI CCFPL Commercial Finance UDAAP Small Business Lending Consumer Finance California

  • California Privacy Protection Agency announces its first inquiry

    Privacy, Cyber Risk & Data Security

    On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.

    Privacy, Cyber Risk & Data Security State Issues State Regulators California CCPA CPPA Enforcement

  • DFPI concludes MTA licensure not required for data processor

    State Issues

    On July 25, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter concluding that a company that merely receives payment instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission” requiring licensure under the California Money Transmission Act (MTA).

    Citing the California regulations, DFPI states that to “receive money for transmission,” a person must actually or constructively receive, take possession, or hold money or monetary value for transmission; merely receiving instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission.”

    As described in the letter, the data processor facilitated payments made by customers to contracting merchants in exchange for goods and services sold by merchants.  The data processor forwards customer account and transaction details to partner financial institutions for debiting the customer’s account, and also facilitates refunds initiated by the merchants, including sending ACH instructions to the partner financial institution.  However, the data processor at no point handles transferred funds or has custody or legal ownership of the rights to the transferred funds.  DFPI, based on several factors and not solely limited to the services described, determined that the inquiring data processor’s payment system does not constitute money transmission or require an MTA license.

    State Issues Licensing State Regulators California Money Transmission Act Consumer Finance California Fair Access to Credit Act California Financing Law DFPI

  • NYDFS: Auto loan borrowers are entitled to rebates for cancelled ancillary products

    State Issues

    On July 18, NYDFS sent a letter reminding regulated auto lenders and auto loan servicers that they are responsible for ensuring certain rebates are credited to consumers whose vehicles were repossessed or were a total loss. During its examinations, NYDFS identified instances where certain institutions that finance ancillary products, such as extended warranties, vehicle service contracts, and guaranteed asset protection insurance, failed to properly calculate, obtain, and credit rebates to consumers as required. NYDFS explained that the terms of sale for such ancillary products “provide that if the vehicle is repossessed or is a total loss prior to the product’s expiration, the consumer is entitled to a rebate for the prorated, unused value of the product (a ‘Rebate’), payable first to the [i]nstitution to cover any deficiency balance, and then to the consumer.” NYDFS found that some institutions either neglected to pursue Rebates from the issuers of the ancillary products or miscalculated the owed amounts, adding that in some instances, institutions made initial requests for Rebates but did not follow through to ensure that they were received and credited to consumers.

    NYDFS explained that an institution’s failure to obtain and credit Rebates from unexpired ancillary products is considered to be unfair “because it causes or is likely to cause substantial injury to consumers who are made to pay or defend themselves against deficiency balances in excess of what the consumer legally owes.” The resulting injury caused to consumers is not outweighed by any countervailing benefits to consumers or to competition, NYDFS stressed.

    Additionally, NYDFS said an institution’s statements and claims of consumers’ deficiency balances that do not include correctly calculated and applied Rebates are considered to be deceptive, as they mislead consumers about the amount they owe after considering all setoffs. NYDFS said it expects institutions to fulfill their contractual obligations by ensuring Rebates are properly accounted for, either by deducting them from deficiency balances or issuing refund checks if no deficiency balance is owed.

    NYDFS further noted in its announcement that recent CFPB examinations found that certain auto loan servicers engaged in deceptive practices when they notified consumers of deficiency balances that misrepresented the inclusion of credits or rebates. The Bureau’s supervisory highlights from Winter 2019, Summer 2021, and Spring 2022 also revealed that collecting or attempting to collect miscalculated deficiency balances that failed to account for a lender’s entitled pro-rata refund constituted an unfair practice.

    State Issues Bank Regulatory State Regulators NYDFS Auto Finance Consumer Finance UDAAP Ancillary Products Deceptive Unfair CFPB Act

  • CFPB, states sue company over deceptive student lending and collection

    Federal Issues

    On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.

    The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.

    According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.

    The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.

    Federal Issues State Issues Courts State Attorney General State Regulators CFPB Consumer Finance Student Lending Debt Collection Income Share Agreements Deceptive Unfair UDAAP FDCPA CFPA TILA Regulation Z Enforcement

  • NYDFS publishes new proposal on cybersecurity regs

    Privacy, Cyber Risk & Data Security

    On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:

    • New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
    • Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
    • Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
    • Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”

    The proposed second amendment is subject to a 45-day comment period expiring August 14.

    Privacy, Cyber Risk & Data Security State Issues NYDFS 23 NYCRR Part 500 State Regulators

  • DFPI highlights CCFPL enforcement actions

    State Issues

    On June 8, the Department of Financial Protection and Innovation (DFPI) released its second annual report covering California Consumer Financial Protection Law (CCFPL) actions two years after the statute took effect. DFPI reported growth across rulemaking, enforcement, supervision, complaint handling, stakeholder outreach, and consumer education. It also developed several new department functions to support historically underserved communities.

    According to the report, DFPI’s increased visibility in the consumer protection space has generated more consumer complaints, resulting in more enforcement actions. Compared to 2021, there was a 514 percent increase in CCFPL-related complaints (approximately 454 complaints), and an 85 percent increase in CCFPL-related investigations (approximately 196 investigations). Top complaint categories included debt collection and crypto assets, with student loan servicers and credit reporting closely following at third and fourth. To address these issues, DFPI opened 110 crypto-related investigations and launched a consumer alerts page on its website featuring 67 public actions and 65 consumer alerts.

    Other key takeaways from the report include that DFPI (i) ordered more than $250,000 in penalties; (ii) ordered over $300,000 in restitution to consumers; (iii) brought its first two civil actions using CCFPL authority; (iv) had 105,000 people attend its outreach and education events; (v) published a notice of proposed rulemaking requiring providers of certain financial services and products to register with the DFPI; and (vi) chaptered two pieces of legislation adding to the laws that DFPI may enforce under the CCFPL.

    State Issues DFPI Consumer Finance CCFPL Enforcement State Regulators Consumer Protection Consumer Complaints

  • New Jersey says realty company misled consumers about homeowner program

    State Issues

    On June 6, the New Jersey attorney general and the New Jersey Division of Consumer Affairs filed an action against a realty company and its principals (collectively, “defendants”) for allegedly violating the state’s Consumer Fraud Act by making deceptive misrepresentations about its “Homeowner Benefit Program” (HBP). Concurrently, the New Jersey Real Estate Commission in the Department of Banking and Insurance filed an order to show cause alleging similar misconduct and taking action against the real estate licenses belonging to the company and certain related individuals.

    According to the complaint, the defendants’ HBP was marketed to consumers as a low-risk opportunity to obtain quick, upfront cash between $300 and $5000 in exchange for giving defendants the right to act as their real estate agents if they sold their homes in the future. The HBP was not marketed as a loan and consumers were told they were not obligated to repay the defendants or to ever sell their home in the future. However, the press release alleged that the HBP functions as a high-interest mortgage loan giving the defendants the right to list the property for 40 years, and that the loan survives the homeowner’s death and levies a high early termination fee against the homeowners. The complaint further charged the defendants with failing to disclose the true nature of the HBP and failing to present the terms upfront. Moreover, in order to sell the HBP, the defendants allegedly placed unsolicited telephone calls to consumers despite not being licensed as a telemarketer in New Jersey. The complaint seeks an order requiring defendants to discharge all liens against homeowners, pay restitution and disgorgement, and pay civil penalties and attorneys’ fees and costs.

    The order to show cause alleges violations of the state’s Real Estate License Act and requires defendants to show why their real estate licenses should not be suspended or revoked, as well as why fines or other sanctions, such as restitution, should not be imposed. Defendants have agreed to cease any attempt to engage New Jersey consumers in an HBP agreement pending resolution of the order to show cause.

    State Issues Licensing Enforcement New Jersey Consumer Finance Predatory Lending State Attorney General State Regulators


Upcoming Events