InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
West Virginia updates money transmitter licensing law
Recently, the West Virginia governor signed SB 505, which updates laws regarding licensure and regulation of money transmitters. Among other things, the bill (i) enhances and expands defined terms, including the definition of “control”; (ii) removes the provisional licensing option for check sellers; (iii) gives West Virginia the authority to participate in multistate examinations; (iv) increases the net worth requirement for licensees; (v) sets forth prior approval requirements for a change in control of a licensee; and (vi) requires licensees to maintain specified “permissible investments” at all times. The bill is effective June 7.
Utah enacts financial institution provisions
On March 24, the Utah governor signed SB 183 into law, which amends the state’s provisions related to financial institutions. Among other things, the bill: (i) modifies the definition of “control” for purposes of the Financial Institutions Act and provides penalties for failure to comply with registration and disclosure requirements. Additionally, the bill enacts the Commercial Financing Registration and Disclosure Act, which requires individuals who provide certain commercial financing products to register with the Department of Financial Institutions and make certain disclosures in connection with each commercial financing product.
Arizona and Utah modify various licensing provisions
On March 24, the Arizona governor signed HB 2612, which eliminates requirements for there to be a finding on whether an applicant is law abiding, honest, trustworthy, and of good moral character in order to be eligible for a license, permit, or certification. This applies to bank or in-state financial institution acquisitions, banking, consumer lenders, trust companies, escrow agents, mortgage brokers, mortgage bankers, commercial mortgage brokers, loan originators, financial institution holding companies, premium finance companies, real estate appraisers and appraisal management companies, among others. The bill also makes other technical and conforming changes and takes effect 90 days after adjournment of the legislature.
Earlier, on March 23, the Utah governor signed HB 69, which modifies various licensing provisions under the state’s Residential Mortgage Practices and Licensing Act. The bill also makes various amendments under the Real Estate Licensing and Practices Act related to licensing, fees, and disciplinary actions. Among other things, the bill amends the general qualifications of licensure to make residential mortgage loans, including provisions related to mandatory education requirements for both state applicants and applicants licensed in other states and criminal background checks. Specifically, the bill removes a provision that states a “license is immediately and automatically revoked if the criminal background check discloses the applicant fails to accurately disclose a criminal history involving: (A) the real estate industry; or (B) a felony conviction on the basis of an allegation of fraud, misrepresentation, or deceit.” Additional amendments authorize the commission to impose sanctions against licensees and unregistered persons that were found to be in violation of a provision of the act; discuss the process for filing a written request for the vacation of a license revocation; address pending transactions should the death of a principal broker occur; and remove provisions regarding the payment of certain expenses and costs. The bill takes effect 60 days after adjournment of the legislature.
Idaho places restrictions on automatic subscription renewals
On March 23, the Idaho governor signed SB 1298, adding new provisions to protect consumers from unfair or deceptive trade practices with respect to automatic subscription renewals entered into or renewed on or after January 1, 2023. Specifically, a seller may not make an automatic subscription renewal offer to an Idaho resident unless the seller clearly and conspicuously discloses the terms of the renewal and provides specific cancellation methods. The bill provides that notice must be given to the consumer at least thirty days and no more than sixty days in advance of the date of the delivery or provision of goods or services. Additionally, sellers must provide the same method for cancellation (including free online cancellation) as used by the consumers to subscribe. A violation of the bill’s provisions constitutes a violation of the Idaho consumer protection act.
Utah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
Mississippi passes debt management provisions
Recently, the Mississippi governor signed HB 687, which establishes debt management services and licensing requirements. According to the bill, debt management service is defined as “[t]he receiving of money from a consumer for the purpose of distributing one or more payments to or among one or more creditors of the consumer in full or partial payment of the consumer's obligation,” among other things. A debt management service provider is “a person that provides or offers to provide to a consumer in this state any debt management services, in return for a fee or other consideration.” A debt management service provider does not include “[a]ny institution that is regulated, supervised or licensed by the department or any out-of-state institution that is insured by the Federal Deposit Insurance Corporation or the National Credit Union Administration,” among other things. Additionally, one cannot operate as a debt management service provider with respect to consumers who are residents of this state without a license. The bill is effective July 1.
Indiana passes loan broker provisions
On March 18, the Indiana governor signed HB 1092, which amends the provisions regarding loan brokers that include requirements for licensing, as well as contract for the services of a loan broker. Among other things, the bill establishes that a loan processing company notice filing must be made on a form prescribed by the commissioner and include the: (i) loan processing company's business name, address, and state of incorporation or business registration; (ii) names of the owners, officers, members, or partners who control the loan processing company; and (iii) name of each individual who is employed by the loan processing company, including the unique identifier from the Nationwide Multistate Licensing System (NMLS) of each loan processor. Additionally, when a contract for the services of a loan broker is assigned, the loan broker shall provide a copy of the signed contract and a written disclosure of any agreement entered into by the loan broker to procure loans exclusively from one lender to each party to the contract. The bill is effective July 22.
Wyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.
Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.
Virginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.