InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Arkansas amends FMLA mortgage licensing provisions
On April 1, the Arkansas governor signed SB 149, which amends provisions related to licensing requirements under the state’s Fair Mortgage Lending Act (FMLA). Among other things, the act (i) modifies certain definitions, including expanding the definition of a mortgage servicer to include a person that makes a payment to a borrower in the case of a home equity conversion mortgage or a reverse mortgage; (ii) clarifies the qualifications for licensure under the FMLA and outlines licensing renewal requirements; (iii) provides a process for the Arkansas Securities Commissioner to allow loan officers to work from a location that is not licensed as the principal place of business or branch office; (iv) modifies the process concerning notice of a change in name or address; and (v) requires licensees to establish and enforce written cybersecurity policies and procedures that comply with the FMLA and any regulations or orders promulgated thereunder. The act takes effect 90 days after adjournment of the legislature.
New York enacts LIBOR replacement provisions
On April 6, the New York Governor signed S297B into law, which addresses the permanent discontinuance of LIBOR for specified contracts, securities, and other instruments that are economically tied to LIBOR. Among other things, S297B stipulates that contracts using LIBOR as a benchmark that do not contain adequate interest rate fallback provisions (or contain a fallback provision “that result[s] in a benchmark replacement, other than a recommended benchmark replacement, that is based in any way on any LIBOR value”) will automatically convert to the “recommended benchmark replacement”—currently the secured overnight financing rate (SOFR)—when LIBOR is no longer available. As previously covered by InfoBytes, all sterling, euro, Swiss franc and Japanese yen settings, and one-week and two-month U.S. dollar settings will cease immediately after December 31, 2021, while all remaining U.S. dollar settings will cease immediately after June 30, 2023. Of note, S297B will not override LIBOR replacements that are mutually agreed upon by contracting parties, and provides a safe harbor from liability for parties that use a recommended benchmark replacement. Further, parties are also prohibited from discharging or refusing to perform contractual obligations or declaring a breach of contract as a result of the discontinuance of LIBOR or the use of a replacement.
Find continuing InfoBytes coverage on LIBOR here.
Mississippi reenacts licensing requirements
On March 17, the Mississippi governor signed HB 1075, which will, among other things, reenact licensing provisions for lenders who provide “credit availability transactions” to customers through fully amortized loans paid over a term of four to 12 months. Under the act, transactions made by unlicensed lenders will be null and void. The act outlines licensing requirements, including those related to annual renewal fees, bond deposits, and expedited licensing requests. The provisions also allow the commissioner to “issue a temporary license authorizing the operation of a credit availability business on the receipt of an application for a license involving principals and owners that are substantially identical to those of an existing licensed credit availability licensee.” Temporary licenses will remain effective until a determination is made on the status of a permanent license. The act also outlines provisions for check cashing business, including licensing requirements and limits on other activities. The act takes effect July 1.
Nebraska amends installment lender and money transmitter licensing requirements
On March 17, the Nebraska governor signed LB 363, which amends certain licensing requirements for installment lenders and money transmitters. Among other things, LB 363 amends provisions of the Nebraska Installment Loan Act related to installment loan licenses and surety bonds to require “any person that holds or acquires any rights of ownership, servicing, or other forms of participation in a loan under the Nebraska Installment Loan Act or that engages with, or conducts loan activity with, an installment loan borrower in connection with a loan under the act” to obtain a license from the department. Additionally, licensees will be required to increase their surety bonds by $50,000 for each branch office licensed under the Nebraska Installment Sales Act. The act also provides that certain licensed persons that operate in the state as a collection agency, credit services organization, or that engage in debt management business are not required to be licensed under the Nebraska Money Transmitters Act. Additional amendments further address the expanded definition of a person engaged in money transmission, as well as investigation and examination authorities. The act takes effect immediately.
Illinois enacts 36 percent rate cap for consumer loans, creates state community reinvestment act
On March 23, the Illinois Governor signed the Predatory Loan Prevention Act, SB 1792, which prohibits lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. For purposes of calculating the APR, the act requires lenders to use the system for calculating a military annual percentage rate under the Military Lending Act. Any loan with an APR exceeding 36 percent will be considered null and void “and no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan.” Additionally, a violation constitutes a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, and carries a potential fine up to $10,000. The act also contains an anti-evasion provision that prohibits persons or entities from “making loans disguised as a personal property sale and leaseback transaction; disguising loan proceeds as a cash rebate for the pretextual installment sale of goods or services; or making, offering, assisting, or arranging a debtor to obtain a loan with a greater rate or interest, consideration, or charge than is permitted by this Act through any method including mail, telephone, internet, or any electronic means regardless of whether the person or entity has a physical location in the State.”
The same day, the governor also signed SB 1608, which, among other things, creates a state version of the Community Reinvestment Act. The act will allow the state to assess whether covered financial institutions, including state-chartered banks, credit unions and non-bank mortgage lenders, are meeting the needs of local communities, including low-income and moderate-income neighborhoods. Financial institutions’ lending practices and community development/redevelopment program investments will be examined by the Secretary of Financial and Professional Regulation, who is granted the authority to conduct examinations in compliance with other state and federal fair lending laws including, but not limited to, the Illinois Human Rights Act, ECOA, and HMDA.
Both acts are effective immediately.
Utah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80, which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets specific safeguard requirements to protect personal information and is in place at the time of the data breach has an affirmative defense to claims brought under Utah law or in the courts of the state that allege the person failed to implement reasonable information security controls that resulted in the data breach. A person also has an affirmative defense to claims regarding the failure to appropriately respond to a data breach or provide notice to affected individuals as long as the written cybersecurity program contained specific protocols at the time of the breach that “reasonably complied with the requirements for a written cybersecurity program” for responding to a data breach or for providing notice. HB 80 also outlines the components that a written cybersecurity program must include to be eligible for an affirmative defense, and is effective 60 days following adjournment of the legislature.
Virginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018, California became the first state to put in place significant consumer data privacy measures (covered by a Buckley Special Alert). As previously covered by InfoBytes, under the VCDPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The VCDPA also outlines controller responsibilities, including a requirement that, among other things, controllers must enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. While the VCDPA explicitly prohibits a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. Additionally, upon discovering a potential violation of the VCDPA, the attorney general must give the data controller written notice and allow the data controller 30 days to cure the alleged violation before the attorney general can file suit. The VCDPA takes effect January 1, 2023.
Florida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require businesses that collect consumers’ personal data to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Businesses will also be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
New York expands commercial lending disclosure coverage
On February 16, the New York governor signed S898, which amends the state’s recently enacted commercial financing disclosure law to expand its coverage and delay the effective date. As previously covered by InfoBytes, in December 2020, the governor signed S5470, which establishes consumer-style disclosure requirements for certain commercial transactions under $500,000. The law exempts (i) financial institutions (defined as a chartered or licensed bank, trust company, industrial loan company, savings and loan association, or federal credit union, authorized to do business in New York); (ii) lenders regulated under the federal Farm Credit Act; (iii) commercial financing transactions secured by real property; (iv) technology service providers; and (v) lenders who make no more than five applicable transactions in New York in a 12-month period. The law is currently set to take effect on June 21, which is 180 days after the December 23, 2020 enactment. As noted by the sponsor memo, prior to signing the law, the governor “expressed concerns about the reach of the bill and the time needed to implement the required rulemaking.” After enactment, the legislature introduced S898, which contains the “negotiated change to the underlying chapter [to] address[] those concerns.”
S898 increases the coverage of the consumer-style disclosure requirements to commercial transactions under $2.5 million and creates a new exemption for certain vehicle dealers. The law also extends the effective date to January 1, 2022.
DFPI requests comment on CCFPL regulations
On February 4, the California Department of Financial Protection and Innovation (DFPI) released an Invitation for Comments on a proposed rulemaking to implement the California Consumer Financial Protection Law (CCFPL). As previously covered by InfoBytes, in September 2020, the governor signed AB 1864, which enacts the CCFPL and established the DFPI name change from the Department of Business Oversight. The CCFPL authorizes DFPI to establish rules relating to the covered persons, service providers, and consumer financial products or services outlined in the law. The invitation for comments describes specific topics for stakeholder consideration when providing comments, but DFPI notes that commenters may provide feedback on “any potential area for rulemaking.” Highlights of the topics for comment include:
- Exemptions. Whether or not DFPI should clarify the scope of the entities exempt from CCFPL.
- Registration Requirements. What industries should be required to first register with DFPI and what rules should be established to facilitate industry oversight, including records and reporting requirements.
- Complaint Handling. What requirements DFPI should establish with regard to timely responses to consumer complaints and inquiries, including timelines and substance of response.
- Consumer UUDAAP. Description of acts or practices that stakeholders believe qualify as “unlawful, unfair, deceptive, or abusive” in consumer transactions, including suggested “requirements DFPI should adopt to prevent the act or practice.”
- Commercial UDAAP and Data Collection. Description of acts or practices that stakeholders believe qualify as unfair, deceptive, and abusive in the commercial space, and whether or not DFPI should define specific acts or practices as unfair, deceptive, or abusive. Additionally, whether or not DFPI should require the collection and reporting of commercial financing data.
- Disclosures. Whether or not DFPI should prescribe rules covering the features of consumer financing disclosures and if so, what the requirements should cover.
- California Credit Cost Limitations. Whether or not DFPI should clarify the applicability of state credit cost limitations, including rate and fee caps, to consumer financial products and services.
Comments must be submitted by March 8.