Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to  mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.
On July 12, Colorado enacted HB 1282, which creates the Colorado Nonbank Mortgage Servicers Act under Article 21 and provides additional consumer protections through the regulation of mortgage servicers. Under the act, a mortgage servicer does not include, among others: supervised financial organizations; certain regulated mortgage loan originators; a federal agency or department; a collection agency whose debt collection business involves collecting on defaulted mortgage loans; agencies, instrumentalities, or political subdivisions of the state; supervised lenders that do not service residential mortgages; servicers that service fewer than 5,000 residential mortgage loans annually; nonprofit organizations; government agencies; originators or servicers using a subservicer that does not act under their direction; and persons servicing loans held for sale. The act stipulates that on or after January 31, 2022, a person may not act as a mortgage servicer without providing notice to the administrator and paying the required fees within 30 days after it begins servicing in the state, and on or before January 31 annually thereafter. The act also outlines provisions related to renewal requirements, record retention, and compliance with federal laws and regulations. Under specified administrator powers and duties, the administrator is allowed to bring an enforcement action against a mortgage servicer, seek restitution and civil money penalties, and request an injunction. While the act provides a four-year statute of limitations, an additional one-year extension may be granted if it is proven that a mortgage servicer engaged in calculated conduct to delay commencement of the action. The act, however, does not create a private right of action or “affect any remedy that a borrower may have pursuant to law other than this Article 21.”
On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The defense is available when an action is brought under Connecticut law or in Connecticut state court and where a business’ cybersecurity program conforms to an “industry recognized cybersecurity framework,” including the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the Payment Card Industry Data Security Standard. A business can also take advantage of the defense if it is regulated by the state or federal government and is subject to, and conforms its cybersecurity program to, current versions of the following federal laws: (i) HIPAA; (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act; or (iv) the Health Information Technology for Economic and Clinical Health Act. Additionally, should one of the identified frameworks or provided laws be amended, a business has six months after publication to conform to the revisions. The act requires a business’ cybersecurity program to, among other things, protect both “restricted information” and “personal information,” and be based on a business’ size and complexity, the nature and scope of its conducted activities, the sensitivity of the protected information, and the cost and availability of tools to improve information security measures and reduce vulnerabilities. The defense will not apply if a business’ “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” The act takes effect October 1.
On July 1, the Virginia governor signed SB 1410, which, among other things, amends the state’s anti-discrimination statutes to prohibit discrimination in public accommodations, employment, and housing based on military status. The bill amends the Virginia Fair Housing Law to prohibit discrimination in the sale or rental of dwellings by any person or entity, and prohibit discrimination by “any person or other entity, including any lending institution, whose business includes engaging in residential real estate-related transactions.” The bill also provides that “the term ‘residential real estate-related transaction’ means any of the following: [t]he making or purchasing of loans or providing other financial assistance (i) for purchasing, constructing, improving, repairing, or maintaining a dwelling or (ii) secured by residential real estate; or [t]he selling, brokering, insuring, or appraising of residential real property.” The bill is effective immediately.
On July 7, the Colorado governor signed SB 91, which, among other things, repeals a prior ban on surcharges for credit or debit card transactions. The bill limits the maximum surcharge amount per transaction to 2 percent of the payment amount or the actual fee. Merchants are required to display a specified notice regarding the surcharge on their premises or, for online purchases, before a customer’s completion of the transaction. The act becomes effective July 1, 2022.
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
On June 29, the Florida governor signed SB 1120, which prohibits telephone solicitations and sales calls involving an “automated system for the selection or dialing of telephone numbers or the playing of a recorded message” without first receiving the prior express written consent of the called party. Among other things, the act (i) provides a “rebuttable presumption that a telephonic sales call made to any area code in this state is made to a Florida resident or to a person in this state at the time of the call”; (ii) provides a private right of action to enjoin such violations or recover the greater of actual damages or $500; and (iii) authorizes a court to increase the amount of the award for willful and knowing violations. Additionally, Florida law is amended to provide that it is an unlawful act or practice to, among other things, make “[m]ore than three commercial telephone solicitation phone calls from any number to a person over a 24-hour period on the same subject matter or issue, regardless of the phone number used to make the call.” Additionally, companies may not use technology to “deliberately display a different caller identification number than the number the call is originating from to conceal the true identity of the caller.” The act takes effect July 1.
On June 23, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to incorporate changes to its debt collection license requirements and application. As previously covered by InfoBytes, in 2020, California enacted the “Debt Collection Licensing Act” (the Act), which requires a person engaging in the business of debt collecting in the state, as defined by the Act, to be licensed and provides for the regulation and oversight of debt collectors by DFPI. In April, DFPI issued a NPRM to adopt new requirements for debt collectors seeking to obtain a license to operate in the state (covered by InfoBytes here).
Among other things, the most recent NPRM seeks to:
- Revise the definition of “applicant” to clarify that an affiliate who is not applying for a license is not an applicant.
- Include language requirements for documents filed with DFPI.
- Clarify the requirements and appointment process of DFPI as the agent for service of process.
- Eliminate the requirement that an applicant must file a copy of the California Department of Justice Request for Live Scan Service form for each individual with the Nationwide Multistate Licensing System & Registry (NMLS) instead of DFPI.
- Remove requirements regarding the submission of the management chart being submitted to DFPI, the extent to which an applicant intends to utilize third parties to perform debt collection functions, and the filing with NMLS of policies and procedures.
- Refine requirements for maintaining media records.
- Refine the process of filing a change in control amendment for new officers, directors, partners, and other control people.
- Establish new branch office registration procedures.
- Eliminate requiring the submission of the total dollar amount of debt collected from consumers to determine whether a higher surety bond is required.
- Remove provisions that would permit DFPI to set a higher surety bond amount.
DFPI’s notice specifies that comments on the most recent proposed modifications are due July 12.
Earlier this year, the Wyoming governor signed HB 8 to authorize sales-finance activities for some licensees and establish procedures and calculations for refunding certain credit-insurance products upon prepayment. Among other things, this act exempts certain supervised financial institutions from certain notice and fee requirements in the Wyoming Uniform Consumer Credit Code (the Code) and generally restructures the Code to repeal statutes for consumer-related and supervised loans, consolidating the provisions for those loans into existing laws for consumer loans. Regarding the MLA, the act authorizes that “the administrator may seek an appropriate remedy, penalty, action or license revocation or suspension.” This act is effective July 1.
On June 26, the Minnesota governor signed omnibus bill HF 6, which, among other things, creates a Student Loan Bill of Rights and outlines new provisions for student loan servicers. The act provides new definitions and, subject to exemptions, requires entities servicing student loans in the state to be licensed. The act outlines servicer duties and responsibilities, including those related to responding to borrower communications, applying overpayments and partial payments, handling student loan transfers, providing income-driven repayment program options, and maintaining records. Additionally, servicers are prohibited from (i) misleading borrowers; (ii) engaging in any unfair or deceptive practices or misrepresenting or omitting information related to a borrower’s student loan obligations; (iii) misapplying payments; (iv) knowingly or negligently providing inaccurate information; (v) failing to provide both favorable and unfavorable payment history to consumer reporting agencies; (vi) refusing to communicate with a borrower’s authorized representative; (vii) making false statements or omitting material facts connected “with any application, information, or reports filed with the commissioner or any other federal, state, or local government agency”; (viii) violating any federal, state, or local law; (ix) providing incorrect information regarding the availability of student loan forgiveness; and (x) failing to comply with outlined duties and obligations. Furthermore, the state commissioner has authority to conduct examinations; deny, suspend, or revoke licenses; censure servicers; and impose civil penalties.
Additionally, as part of the omnibus bill, the definition of “collection agency” now includes a “debt buyer,” which is defined as a “business engaged in the purchase of any charged-off account, bill, or other indebtedness for collection purposes, whether the business collects the account, bill, or other indebtedness, hires a third party for collection, or hires an attorney for litigation related to the collection.” The act also defines an “affiliated company” as “a company that: (1) directly or indirectly controls, is controlled by, or is under common control with another company or companies; (2) has the same executive management team or owner that exerts control over the business operations of the company; (3) maintains a uniform network of corporate and compliance policies and procedures; and (4) does not engage in active collection of debts.” The commissioner is also required to allow affiliated companies to operate under a single license and be subject to a single examination provided all of the affiliated company names are listed on the license. Under the act, debt buyers are required to submit license applications no later than January 1, 2022; however, a debt buyer who has filed an application with the commissioner for a collection agency license before January 1, 2022, and has a pending application thereafter, “may continue to operate without a license until the commissioner approves or denies the application.”
The provisions take effect August 1.
- Buckley Webcast: Best practices for incident-response planning in a dangerous and regulated world
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- APPROVED Webcast: California debt collection license requirement: Overview and analysis
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- Jeffrey P. Naimon to discuss “Regulators are gearing up: Are you ready?” at HousingWire Annual
- Amanda R. Lawrence and Elizabeth E. McGinn discuss “U.S. state privacy legislation – Are you compliant?” at the Privacy+Security Forum
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek