InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI sanctions former PACE solicitor under California Consumer Financial Protection Law
On March 30, the California Department of Financial Protection and Innovation (DFPI) announced it has permanently banned an individual and three companies he owns or controls for allegedly evading Property Assessed Clean Energy (PACE) laws. According to DFPI, the respondents, among other things, engaged in unfair and deceptive marketing tactics by “marketing their product as a ‘no-cost’ government-funded program” and “using an unenrolled company to advertise and solicit consumers for PACE financing.” DFPI claimed the respondents offered and sold PACE financing without enrolling with a PACE program administrator, failed to clearly and accurately inform consumers about how PACE financing works, and “misled consumers about their relationships with public agencies, lenders, PACE program administrators, and each other.” Under the terms of the consent order, the respondents agreed to cease and desist from offering PACE financing to consumers, agreed not to use “PACE” in business names, websites, marketing materials, or construction communications, and agreed not to seek future enrollment with any PACE program administrator.
NYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.
NYDFS finds credit card underwriting showed no evidence of wrongdoing
In March, NYDFS released a report detailing the findings of an investigation into whether a global technology company and a New York state-chartered bank allegedly discriminated against women when making underwriting decisions for a co-branded credit card. According to the report, in 2019, allegations were made that the bank offered lower credit limits to women applicants and unfairly denied women accounts. NYDFS launched a fair lending investigation into the allegations and reviewed underwriting data for nearly 400,000 New Yorker residents, but ultimately found no evidence of unlawful disparate treatment or disparate impact. Among other things, the report noted that the bank “had a fair lending program in place for ensuring its lending policy—and underlying statistical model—did not consider prohibited characteristics of applicants and would not produce disparate impacts.” The bank also identified the factors it used when making the credit decisions, including credit scores, indebtedness, income, credit utilization, missed payments, and other credit history elements, all of which, NYDFS stated, appeared to be consistent with its credit policy.
California again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
- Require companies to use opt-out methods that are “easy” for consumers to execute and that require “minimal” steps to opt-out. Specifically, a “business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” Additionally, except as otherwise permitted by the regulations, companies are prohibited from requiring consumers to provide unnecessary personal information to implement an opt-out request, and may not require consumers to click through or listen to reasons as to why they should not submit an opt-out request. The amendments also state that businesses cannot require consumers “to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.”
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
States urge Department of Education to protect student loan borrowers
On March 9, NYDFS sent a letter on behalf of a multi-state coalition of financial regulators inviting recently confirmed Department of Education Secretary Dr. Miguel Cardona to partner with the states to ensure protections for student loan borrowers. Specifically, the letter urges Secretary Cardona to reverse two policies instituted by former Secretary Betsy DeVos that the coalition claims “undermine state supervision of private companies that service federal student loans.” The first is a 2018 interpretation (covered by InfoBytes here), which takes the position that state regulation of servicers of loans made under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program is preempted by federal law. The coalition argues that the Department’s 2018 preemption interpretation has made “state-level oversight of student loan servicers more burdensome.” As such, the coalition urges Secretary Cardona to promulgate a regulation rejecting federal preemption of state consumer protection laws to ensure borrowers can “benefit from state oversight of student loan servicers.” The letter also discusses former Secretary DeVos’s attempt to use the Privacy Act of 1974 “as a shield from necessary state oversight”—an action the coalition claims leaves states “with no choice but litigation” to obtain documents needed for industry oversight.
DFPI reiterates “aggressive” enforcement during pandemic
On March 11, the California Department of Financial Protection and Innovation (DFPI) released a statement discussing the regulator’s expanded consumer protection efforts during the Covid-19 pandemic. Among other things, DFPI noted that it is “aggressively exercising its new authority to regulate a large group of newly covered financial services, including debt collectors, credit reporting and credit repair agencies, debt relief agencies and others,” and verifying compliance with state and federal laws protecting homeowners from “coronavirus-related foreclosures.” DFPI also stated it issued a cease-and-desist order filed against a student loan debt relief company (covered by InfoBytes here), and launched an investigation of lender efforts to evade state interest rate caps.
NYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
FTC adds two defendants to real estate investment scheme suit
On February 25, the FTC and the Utah Division of Consumer Protection announced the addition of two additional defendants in an action taken against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to attend real estate events costing thousands of dollars. As previously covered by InfoBytes, the FTC and the Utah Division of Consumer Protection claimed that the defendants violated the FTC Act, the Consumer Review Fairness Act (CRFA), and Utah state law by marketing real estate events with false claims and using celebrity endorsements. The defendants allegedly promised consumers they would (i) earn thousands of dollars in profits from real estate investment “flips” by using the defendants’ products; (ii) receive 100 percent funding for their real estate investments, regardless of credit history; and (iii) receive a full refund if they do not make “a minimum of three times” the price of the workshop within six months. In October 2019, the U.S. District Court for the District of Utah granted a temporary restraining order against the defendants, prohibiting the defendants from continuing to make unsupported marketing claims and from interfering with consumers’ ability to review their products.
DFPI addresses several MTA licensing exemptions
Recently, California’s Department of Financial Protection and Innovation (DFPI) released several new opinion letters covering aspects of the California Money Transmission Act (MTA) related to virtual currency, agent of payee rules, and transactions in which recipients are paid before a company is reimbursed. Highlights from the redacted letters include:
- Agent of Payee Exemption – Online Gaming/Sports Betting. The redacted opinion letter reviewed whether a company’s payment processing services—which allow customers to use bank accounts to purchase stored value redeemable for goods and services, including “e-commerce, digital goods, financial services, travel, and online gaming/sports betting”—require licensure under the MTA. DFPI concluded that the company’s “pay-in” transactions qualify for the agent-of-payee exemption where the merchant is the payee, the customer is the payor, and the company is the agent of the payee, because the pay-in transactions are ultimately for goods and services since the customer is purchasing stored value redeemable in a closed loop of issuing merchant, and the company’s master agreement with the merchant states that payment to the company satisfies the customer’s obligation to pay the merchant. However, DFPI noted that the agent-of-payee exemption does not apply to transactions involving refunds and the pay-out of winnings. Pay-out transactions, DFPI explained, “constitute ‘receiving money for transmission’ because the [company] receives money from the [m]erchants for transfer to the [c]ustomers” and the customer does not provide goods or services to the merchant for which payment is owed.
- Agent of Payee Exemption – Payments to Daily Fantasy Sports Providers. The redacted opinion letter, which supersedes an interpretive opinion issued last August (covered by InfoBytes here), reviewed whether MTA licensure is required for a company that plans to offer U.S.-based merchant clients (primarily daily fantasy sports providers) an ACH payment platform to allow customers to use bank accounts to purchase credits for their accounts with the merchants. According to DFPI, pay-in transactions for stored monetary value “constitute ‘receiving money for transmission’”; however, DFPI noted that based on provided information, the pay-in activities qualify for the agent-of-payee exemption because the merchant is the payee, the customer is the payor, and the company is the agent of the merchant. Additionally, the company’s “receipt of funds from the [c]ustomer satisfies the [c]ustomer’s payment obligation to the [m]erchant for the goods or services.” Here, DFPI also explained that the pay-in transactions are closed loop since the customer’s stored value can only be redeemed for goods or services provided by the issuing merchant or its affiliate. DFPI further explained that “selling or issuing” closed loop stored value is excluded from the definition of money transmission. In both the first and second opinion letters, DFPI reiterated that MTA licenses cannot be issued to companies engaged in the transmission of money to facilitate unlawful activities, such as sports betting.
- Purchase and Sale of Cryptocurrency. The redacted opinion letter concluded that a company’s activities, which are limited to buying and selling virtual currency directly from and to consumers via ACH or wire transfer, do not trigger the licensing requirements of the MTA because the activities do “not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.”
- Paying Recipients Before a Company is Reimbursed. The redacted opinion letter examined whether a company’s payment reimbursement model requires licensure under the MTA. The company offers transactions that result in beneficiaries being paid before the company receives money from the sender. The company “obtains a payment authorization on the customer’s debit card for the transaction,” and the debit card authorization then “puts a hold on the cardholder’s funds for the purchase and guarantees that [the company] will be paid.” Once the customer authorizes the transaction, the funds are instantly moved to the recipient’s wallet or bank account for immediate use. To be reimbursed, however, the company must initiate a second step, which actually processes the payment and converts the hold status to payment/post status. According to DFPI, the company’s payment reimbursement model does not involve transactions that constitute money transmission because the company “never ‘receives money for transmission. . ., does not actually or constructively receive, take possession of, or hold money or monetary value for transmission. . ., incurs no transmission liability,” or puts consumer funds at risk.
CSBS announces new nonbank cybersecurity exam tool
On February 24, during the Nationwide Multistate Licensing System Annual Conference, the Conference of State Bank Supervisors (CSBS) released an updated cybersecurity examination tool designed for nonbank financial company supervision. The tool is intended for state regulators to use during examinations, and CSBS encourages companies to use it monitor cybersecurity health between examinations. The tool is the newest addition to state regulators’ ongoing efforts to help nonbank companies—including fintech and payment companies, money transmitters, and mortgage companies—protect, mitigate, and respond to cyber threats. While the current tool is “considered a baseline assessment for less complex and lower risk institutions,” CSBS notes that an additional tool is currently under development for release in Q2 2021 for more complex institutions.