InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI proposes new CCFPL modifications on complaints and inquiries
On April 14, the California Department of Financial Protection and Innovation (DFPI) released a third round of modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. DFPI modified the proposed text in December and March (covered by InfoBytes here and here) in response to comments received on the initially proposed text issued last year to implement Section 90008 subdivisions (a) (b), and (d)(2)(D) of the CCFPL (covered by InfoBytes here). Subdivisions (a) and (b) authorize the DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and the DFPI concerning consumer complaints and inquiries, whereas subdivision (d)(2)(D) permits covered persons to withhold certain non-public or confidential information when responding to consumer inquiries.
DFPI considered comments on the most recent proposed modifications and is now proposing further additional changes:
- Amended definitions. The proposed modifications change “officer” to “complaint officer” and expand the definition to mean “an individual designated by the covered person with primary authority and responsibility for the effective operation and governance of the complaint process, including the authority and responsibility to monitor the complaint process and resolve complaints.” References to “officer” have been changed to “complaint officer” throughout.
- Complaint processes and procedures. The proposed modifications make clarifying edits to the requirements for annual notices issued to consumers (disclosures must be provided “in a clear and conspicuous manner”), and specify that complaints pertaining solely to entities not involved in the offering or providing of the financial product or service being reported on should not be included in the number of complaints received.
- Inquiry processes and procedures. The proposed modifications clarify that should an inquirer indicate any dissatisfaction “regarding a specific issue or problem” concerning a financial product or service or allege wrongdoing by the covered person or third party, the inquiry should be handled as a complaint.
Comments are due April 29.
NYDFS to impose supervision fees on virtual currency licensees
On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.
California joins multistate settlement with securities brokerage
On April 6, the California Department of Financial Protection and Innovation (DFPI) joined a multi-state settlement with a securities brokerage company stemming from an investigation spearheaded by state securities regulators from Alabama, Colorado, California, Delaware, New Jersey, South Dakota, and Texas relating to certain alleged operational and technical failures. According to DFPI, the investigation was triggered by a March 2020 incident in which the brokerage company experienced several platform outages during a period in which hundreds of thousands of investors relied on the company’s app to make trades, thus preventing some users from being able to process trades. The settlement order sets out multiple alleged violations by the brokerage company, including negligently disseminating inaccurate information to customers, failing to have a “reasonably designed customer identification program,” inadequately supervising critical technology, having a deficient system for dealing with customer inquiries, failing to exercise due diligence before approving certain option accounts, and failing to report all customer complaints to FINRA and state securities regulators.
While the company neither admitted nor denied the findings, it agreed to pay up to $10.2 million in penalties and will continue to implement recommendations to address the alleged misconduct. DFPI noted in its announcement that it “found no evidence of willful or fraudulent conduct” by the company, and said the company fully cooperated with the investigation.
Collection agency to pay $10k for operating without a license
On March 21, the Connecticut Department of Banking fined a collection agency $10,000 and ordered it to cease and desist from collection agency activity for operating without a valid license. According to the order, the company applied for a consumer collection agency license in Connecticut in October 2022. However, during its review of the company’s application, the Department of Banking discovered that the company had been operating as a consumer collection agency without a license in the state since at least 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover back licensing fees. The company consented to the entry of the sanctions without admitting or denying any wrongdoing “solely for the purpose of obviating the need for further formal administrative proceedings,” the order said.
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Crypto lender to provide refunds to Californians
On March 27, the California Department of Financial Protection and Innovation (DFPI) announced that a New Jersey-based crypto lending platform has agreed to provide more than $100,000 in refunds to California residents. The refunds, subject to bankruptcy court approval, stem from the lender’s conduct following the collapse of a major crypto exchange last November. As previously covered by InfoBytes, in December, DFPI moved to revoke the lender’s California Financing Law license following an examination, which found that the lender “failed to perform adequate underwriting when making loans and failed to consider borrowers’ ability to repay these loans, in violation of California’s financing laws and regulations.” At the time the lender announced it was limiting platform activity and pausing client withdrawals. The lender eventually filed a petition for chapter 11 bankruptcy. An investigation also revealed that due to the lender’s failure to timely notify borrowers that they could stop repaying their loans, borrowers remitted at least $103,471 in loan repayments to the lender’s servicer while they were unable to withdraw funds and collateral from the platform. A hearing on the lender’s petition to direct its servicer to return borrowers’ loan repayments is scheduled for April 19.
The lender agreed to an interim suspension of its lending license while the bankruptcy and revocation actions are pending. It also agreed to a final order to discontinue unsafe or injurious practices, as well as a desist and refrain order. Among other things, the lender has agreed to continue to direct its agents to pause collection of repayments on loans belonging to California residents while its license is suspended (including turning off autopay), will continue to set interest rates to 0 percent, and continue to not levy any late fees associated with any payments or report any loans that became delinquent or defaulted on or after November 11, 2022, to credit reporting agencies while the bankruptcy and revocation actions are pending.
DFPI releases more proposed CCFPL modifications on complaints and inquiries
On March 23, the California Department of Financial Protection and Innovation (DFPI or the Department) released a second round of modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) (b), and (d)(2)(D) of the CCFPL. Subdivisions (a) and (b) authorize the DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and the DFPI concerning consumer complaints and inquiries, and subdivision (d)(2)(D) permits covered persons to withhold certain non-public or confidential information when responding to consumer inquiries. The first round of proposed modifications to the NPRM was released in December (covered by InfoBytes here).
DFPI considered comments received on the initially proposed text and the proposed modifications and is now proposing the following additional changes:
- Applicability. The proposed modifications clarify that Sections 1072, 1073, and 1074 apply only to covered persons required to be licensed by the DFPI or registered with the DFPI “pursuant to Financial Code sections 90009 and 90009.5, including any rules promulgated thereunder.”
- Amended definitions. The proposed modifications add an additional exclusion from the definition of “complaint[,]” excluding a “notice of error filed with a remittance transfer provider.” “Complainant” is amended to clarify that it does not include individuals who are not residents of California at the time “the act, omission, decision, condition, or policy giving rise to the complaint was applied to the consumer.”
- Complaint processes and procedures. Among other things, the proposed modifications add requirements that (i) covered persons issue initial and annual disclosures to California residents that include the procedures for filing a complaint; (ii) the main home page or main contact page include the set hours a live representative is normally available to accept oral complaints; (iii) all written communications—not just the final decision—related to a complaint must be submitted in the language in which the contract was negotiated; and (iv) make changes to DFPI’s annual complaint report requirements, including a new category related to nuisance complaints.
Comments are due April 7.
DFPI clarifies licensing provisions for several state laws
The California Department of Financial Protection and Innovation (DFPI) recently filed a notice of proposed rulemaking with the Office of Administrative Law, seeking to add several sections to Title 10, Chapter 3 of the California Code of Regulations relating to the California Consumer Financial Protection Law (CCFPL), the California Financing Law (CFL), the California Deferred Deposit Transaction Law (CDDTL), and the California Student Loan Servicing Act (SLSA). (See also DFPI initial state of reasons here.) Among other things, the proposed regulations provide specific registration requirements for covered persons under the CCFPL and outline requirements for exemption from registration under the CCFPL for licensees under the CFL, CDDTL, and SLSA.
According to DFPI’s notice, the CCFPL grants the Department authority to require covered persons engaged in the business of offering and providing a consumer financial product or service to be registered but does not specify requirements for registration. The proposed regulations clarify these requirements, which include establishing an application process, outlining fees, and specifying persons and conditions for exemption. The proposed regulations also establish annual reporting requirements for filing reports with DFPI. The Department explained that “[e]xisting law exempts from CCFPL registration certain licensees who provide consumer financial products or services ‘within the scope of’ their licenses issued under other Department laws.” The proposed regulations clarify the meaning of “within the scope of” and specify that licensees under the CFL and the CDDTL are exempt from registering under the CCFPL. “[E]xempt licensees who provide products or services that would otherwise be subject to registration under the CCFPL [are required] to submit supplemental information on these activities in their annual reports required under their license,” DFPI explained.
With respect to the SLSA, DFPI noted that “[a]lthough an SLSA license does not confer upon a licensee the authority to originate financing within the scope of their license, the regulations exempt SLSA licensees from registration requirements for education financing when they meet specified requirements.”
The proposed regulations also clarify the applicability of the CFL to certain activities, by, among other things, providing that “an advance of funds to be repaid from a consumer’s future earned or unearned pay is a loan subject to the CFL” and that “providers of income-based advances and education financing who are registered under the CCFPL and whose charges do not exceed the charges permitted under the CFL” are exempt from licensure under the CFL. The proposed regulations also clarify provisions relating to collecting loan payments, monthly subscription fees, and loan contracts.
Comments on the proposed regulations are due May 17.
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.