Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 13, the Connecticut governor signed SB 716 to provide additional protections for student loan borrowers and impose new requirements on student loan servicers. Among other things, the act requires servicers to provide certain information to borrowers and cosigners regarding their rights and responsibilities, including cosigner release eligibility and the cosigner release application process. The law also prohibits a student loan servicer from engaging in an abusive act or practice when servicing a student loan and expands the definition of “servicing” in state student loan servicer law. The law provides a list of exempt persons, which includes banks and credit unions and their wholly-owned subsidiaries. The act states it took effect July 1.
On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to  mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.
On July 12, Colorado enacted HB 1282, which creates the Colorado Nonbank Mortgage Servicers Act under Article 21 and provides additional consumer protections through the regulation of mortgage servicers. Under the act, a mortgage servicer does not include, among others: supervised financial organizations; certain regulated mortgage loan originators; a federal agency or department; a collection agency whose debt collection business involves collecting on defaulted mortgage loans; agencies, instrumentalities, or political subdivisions of the state; supervised lenders that do not service residential mortgages; servicers that service fewer than 5,000 residential mortgage loans annually; nonprofit organizations; government agencies; originators or servicers using a subservicer that does not act under their direction; and persons servicing loans held for sale. The act stipulates that on or after January 31, 2022, a person may not act as a mortgage servicer without providing notice to the administrator and paying the required fees within 30 days after it begins servicing in the state, and on or before January 31 annually thereafter. The act also outlines provisions related to renewal requirements, record retention, and compliance with federal laws and regulations. Under specified administrator powers and duties, the administrator is allowed to bring an enforcement action against a mortgage servicer, seek restitution and civil money penalties, and request an injunction. While the act provides a four-year statute of limitations, an additional one-year extension may be granted if it is proven that a mortgage servicer engaged in calculated conduct to delay commencement of the action. The act, however, does not create a private right of action or “affect any remedy that a borrower may have pursuant to law other than this Article 21.”
On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The defense is available when an action is brought under Connecticut law or in Connecticut state court and where a business’ cybersecurity program conforms to an “industry recognized cybersecurity framework,” including the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the Payment Card Industry Data Security Standard. A business can also take advantage of the defense if it is regulated by the state or federal government and is subject to, and conforms its cybersecurity program to, current versions of the following federal laws: (i) HIPAA; (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act; or (iv) the Health Information Technology for Economic and Clinical Health Act. Additionally, should one of the identified frameworks or provided laws be amended, a business has six months after publication to conform to the revisions. The act requires a business’ cybersecurity program to, among other things, protect both “restricted information” and “personal information,” and be based on a business’ size and complexity, the nature and scope of its conducted activities, the sensitivity of the protected information, and the cost and availability of tools to improve information security measures and reduce vulnerabilities. The defense will not apply if a business’ “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” The act takes effect October 1.
On July 1, the Virginia governor signed SB 1410, which, among other things, amends the state’s anti-discrimination statutes to prohibit discrimination in public accommodations, employment, and housing based on military status. The bill amends the Virginia Fair Housing Law to prohibit discrimination in the sale or rental of dwellings by any person or entity, and prohibit discrimination by “any person or other entity, including any lending institution, whose business includes engaging in residential real estate-related transactions.” The bill also provides that “the term ‘residential real estate-related transaction’ means any of the following: [t]he making or purchasing of loans or providing other financial assistance (i) for purchasing, constructing, improving, repairing, or maintaining a dwelling or (ii) secured by residential real estate; or [t]he selling, brokering, insuring, or appraising of residential real property.” The bill is effective immediately.
On July 7, the Colorado governor signed SB 91, which, among other things, repeals a prior ban on surcharges for credit or debit card transactions. The bill limits the maximum surcharge amount per transaction to 2 percent of the payment amount or the actual fee. Merchants are required to display a specified notice regarding the surcharge on their premises or, for online purchases, before a customer’s completion of the transaction. The act becomes effective July 1, 2022.
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
On June 29, the Florida governor signed SB 1120, which prohibits telephone solicitations and sales calls involving an “automated system for the selection or dialing of telephone numbers or the playing of a recorded message” without first receiving the prior express written consent of the called party. Among other things, the act (i) provides a “rebuttable presumption that a telephonic sales call made to any area code in this state is made to a Florida resident or to a person in this state at the time of the call”; (ii) provides a private right of action to enjoin such violations or recover the greater of actual damages or $500; and (iii) authorizes a court to increase the amount of the award for willful and knowing violations. Additionally, Florida law is amended to provide that it is an unlawful act or practice to, among other things, make “[m]ore than three commercial telephone solicitation phone calls from any number to a person over a 24-hour period on the same subject matter or issue, regardless of the phone number used to make the call.” Additionally, companies may not use technology to “deliberately display a different caller identification number than the number the call is originating from to conceal the true identity of the caller.” The act takes effect July 1.
On June 23, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to incorporate changes to its debt collection license requirements and application. As previously covered by InfoBytes, in 2020, California enacted the “Debt Collection Licensing Act” (the Act), which requires a person engaging in the business of debt collecting in the state, as defined by the Act, to be licensed and provides for the regulation and oversight of debt collectors by DFPI. In April, DFPI issued a NPRM to adopt new requirements for debt collectors seeking to obtain a license to operate in the state (covered by InfoBytes here).
Among other things, the most recent NPRM seeks to:
- Revise the definition of “applicant” to clarify that an affiliate who is not applying for a license is not an applicant.
- Include language requirements for documents filed with DFPI.
- Clarify the requirements and appointment process of DFPI as the agent for service of process.
- Eliminate the requirement that an applicant must file a copy of the California Department of Justice Request for Live Scan Service form for each individual with the Nationwide Multistate Licensing System & Registry (NMLS) instead of DFPI.
- Remove requirements regarding the submission of the management chart being submitted to DFPI, the extent to which an applicant intends to utilize third parties to perform debt collection functions, and the filing with NMLS of policies and procedures.
- Refine requirements for maintaining media records.
- Refine the process of filing a change in control amendment for new officers, directors, partners, and other control people.
- Establish new branch office registration procedures.
- Eliminate requiring the submission of the total dollar amount of debt collected from consumers to determine whether a higher surety bond is required.
- Remove provisions that would permit DFPI to set a higher surety bond amount.
DFPI’s notice specifies that comments on the most recent proposed modifications are due July 12.
Earlier this year, the Wyoming governor signed HB 8 to authorize sales-finance activities for some licensees and establish procedures and calculations for refunding certain credit-insurance products upon prepayment. Among other things, this act exempts certain supervised financial institutions from certain notice and fee requirements in the Wyoming Uniform Consumer Credit Code (the Code) and generally restructures the Code to repeal statutes for consumer-related and supervised loans, consolidating the provisions for those loans into existing laws for consumer loans. Regarding the MLA, the act authorizes that “the administrator may seek an appropriate remedy, penalty, action or license revocation or suspension.” This act is effective July 1.
- Daniel R. Alonso to moderate an interactive roundtable at the Latin Lawyer and GIR Connect: Anti-Corruption & Investigations Conference
- APPROVED Checkpoint Webcast: You have license renewal questions, we have answers
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Marshall T. Bell and John R. Coleman to speak at 2021 AFSA Annual Meeting
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Daniel R. Alonso to discuss internal investigations at the Institute of Internal Auditors of Argentina Spanish-language webinar
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek