Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Texas enacts data broker requirements

    State Issues

    The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.

    The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.

    The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.

    State Issues Privacy, Cyber Risk & Data Security State Legislation Texas Data Brokers Third-Party

  • Connecticut establishes rules for virtual currency kiosks

    State Issues

    On June 27, the Connecticut governor signed HB 6752 (the “Act”) to establish certain requirements for owners or operators of virtual currency kiosks in the state. Among other things, the commissioner has the authority to establish regulations, forms, and orders that govern the use of digital assets, such as virtual currencies and stablecoins, by regulated entities and individuals. When adopting, amending, or rescinding any such regulation, form, or order, the commissioner may consult with federal financial services regulators, regulators from other states, as well as other stakeholders and industry professionals to promote the consistent treatment and handling of digital assets. Definitions for “virtual currency address,” “virtual currency kiosk,” and “virtual currency wallet” have also been added.

    The Act further provides that prior to engaging in an initial virtual currency transaction with a customer, the owner or operator of a virtual currency kiosk is required to provide clear and conspicuous written disclosures in English regarding the material risks associated with virtual currency. These disclosures should cover several key points, including a prominent and bold warning acknowledging that losses resulting from fraudulent or accidental transactions may not be recoverable, transactions in virtual currency are irreversible, and that the nature of virtual currency may lead to an increased risk of fraud or cyber-attack. Disclosures must also address a customer’s liability for unauthorized virtual currency transactions, a customer’s right to stop payment for a preauthorized virtual currency transfer (along with the process to initiate a stop-payment order), and circumstances in which the owner or operator will disclose information regarding the customer’s account to third parties, unless required by a court or government order. Additionally, customers must be provided upfront information relating to the amount of the transaction, any fees, expenses, and charges, and any applicable warnings. It is the responsibility of the owner or operator of a virtual currency kiosk to ensure that every customer acknowledges the receipt of all disclosures mandated by the Act, and to provide receipts upon completion of any virtual currency transaction. The Act is effective October 1.

    State Issues Digital Assets Fintech Virtual Currency State Legislation Connecticut

  • Connecticut amends requirements for small lenders

    On June 29, SB 1033 (the “Act) was enacted in Connecticut to amend the banking statutes. The Act, among other things, (i) redefines “small loan”; (ii) redefines “APR” to be calculated based on the Military Lending Act and include the cost of ancillary products among other fees as part of the “finance charge”; (iii) requires more people to obtain small loan licenses; (iv) requires that certain small loans are worth $5,000-$50,000, which is intended to capture larger loans particularly for student borrowers who may enter into income sharing agreements; (v) prohibits small loans from providing for an advance exceeding an unpaid principal of $50,000; and (vi) eliminates a requirement that certain people demonstrate an ability to supervise mortgage servicing offices in person. The Act also includes new licensing provisions, adding that any person who acts as an agent or service provider for a person who is exempt from licensure requires licensure if (i) they have a predominant economic interest in a small loan; (ii) they facilitate and hold the right to purchase the small loan, receivables or interest in the small loan; or (iii) the person is a lender who structured the loan to evade provisions in the Act. If the facts and circumstances deem the person a lender, they must be licensed under the Act.

    Licensing State Issues Small Dollar Lending Loan Origination Connecticut State Legislation

  • New Hampshire amends rules for interest on escrow accounts

    State Issues

    On June 20, New Hampshire enacted HB 520 (the “Act”) to amend provisions relating to escrow accounts maintained by licensed nondepository mortgage bankers, brokers, and servicers. The Act amends guidelines surrounding interest payments to escrow accounts maintained for the payment of taxes or insurance premiums related to loans on single family homes in New Hampshire and property secured by real estate mortgages. For both (single family homes and property) accounts, payments must be at a rate no less than the National Deposit Rate for Savings Accounts. Further, interest payments during the six-month period beginning on April 1 of each year, must be no less than the FDIC published rate in January of the same year, whereas interest payments during the six-month period beginning on October 1 of each year, must be no less than the FDIC published rate in July of the same year. 

    The Act was effective upon its passage.

    State Issues State Legislation Mortgages Interest New Hampshire FDIC Escrow Consumer Finance

  • Nevada to regulate student loan servicers and lenders

    On June 14, the Nevada governor signed AB 332 (the “Act”) which provides for the licensing and regulation of student loan servicers. The Act also implements provisions for the regulation of private education loans and lenders. Among other things, the Act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Commissioner of Financial Institutions. Specifically, the Act states that a person seeking to act as a student loan servicer is exempt from the application requirements only if the commissioner determines that the person’s servicing performed in the state is conducted pursuant to a contract awarded by the U.S. Secretary of Education.

    The Act also outlines numerous requirements relating to licensing applications, including that the commissioner may participate in the Nationwide Multistate Licensing System and Registry (NMLS), and may instruct NMLS to act on his or her behalf to, among other things, collect and maintain records of applicants and licensees, collect and process fees, process applications, and perform background checks. The commissioner is also permitted to enter into agreements or sharing arrangements with other governmental agencies, the Conference of State Bank Supervisors, the State Regulatory Registry, or other such associations. Additional licensing provisions set forth requirements relating to licensing renewals, reinstatements, surrenders, and denials; liquidity standards; and bond requirements. The commissioner is also granted general supervisory, investigative, and enforcement authority relating to student loan servicers and student education loans and may impose civil penalties for violations of the Act’s provisions. The commissioner must conduct investigations and examinations at least once a year (with licensees being required to pay for such investigations and examinations). The Act further provides that the student loan ombudsman shall enter into an information sharing agreement with the office of the attorney general to facilitate the sharing of borrower complaints.

    With respect to private education lenders, the Act establishes certain protections for cosigners of private education loans and prohibits private education lenders from accelerating the repayment of a private education loan, in whole or in part, except in cases of payment default. A lender may be able to accelerate payments on loans made prior to January 1, 2024, provided the promissory note or loan agreement explicitly authorizes an acceleration based on established criteria. The Act also sets forth responsibilities for lenders in the case of the total and permanent disability of a private education loan borrower or cosigner, including cosigner release requirements. Additional provisions outline prohibited conduct and create requirements and prohibitions governing lenders’ business practices. Furthermore, private education lenders are not exempt from any applicable licensing requirements imposed by any other specific statute.

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on January 1, 2024 for all other purposes.

    Licensing State Issues State Legislation Nevada Student Loan Servicer Student Lending Consumer Finance NMLS

  • Rhode Island enacts provisions for real estate appraisal

    On June 20, the Rhode Island state governor signed SB 850 (the “Act”), which amends the Real Estate Appraiser Certification Act and the Real Estate Appraisal Management Company (AMC) Registration Act for consistency with federal laws and recommendations from the appraisal subcommittee. Among other things, the Act includes new terminology, including “covered transaction” and “state-licensed real estate appraiser.” This Act sets forth numerous additional provisions, one of which requires that appraisals must be performed by licensed or certified appraisers unless they are specifically exempt under federal law. Also amended are state-certified appraisers and state-licensed appraisers’ classifications. Specifically, the text defining residential property appraisal is replaced with a general statement that requirements for certification and licensing of appraisers will be “as required by the appraiser qualifications board of the appraisal foundation.” Another addition addresses the continuing education requirement for state-licensed and state-certified real estate appraisers, which now stipulates that up to one-half of an individual’s continuing education requirement may be completed by participation in certain educational activities approved by the board. Concerning registration, the Act contains a new subsection, detailing that AMCs cannot be registered in the state if any owner (an individual who owns more than 10 percent) of the AMC fails to submit to a background check or any owner is determined by the director to not have good moral character. Among other amendments, the Act also stipulates that registration is now valid for only one year (previously two years) after issuance.

    The Act is effective upon passage.

    Licensing State Issues State Legislation Rhode Island Appraisal

  • Nevada enacts health data privacy measures

    Privacy, Cyber Risk & Data Security

    On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.

    The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.

    Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability.  Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.

    The Act is effective March 31, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Medical Data Nevada HIPAA Consumer Protection

  • Nevada amends licensing and regulation provisions

    On June 15, the Nevada governor signed SB 355 (the “Act”) to amend several provisions relating to existing state law, which provides for the licensure and regulation of various financial institutions by the Commissioner of Financial Institutions. Among other things, the Act prohibits the commissioner “from requiring an applicant for a license to establish a new depository institution to identify the physical address of the proposed depository institution in the application for the license.” Additionally, while the Act requires data collectors that own, license, or maintain personal information to provide notice to the state attorney general and certain other persons of certain breaches of security involving personal information, the amendments now exempt persons licensed to engage in the business of lending in Nevada from these requirements.

    The Act sets forth numerous other provisions, including (i) removing the requirement that debt collection agencies notify a medical debtor via registered or certified mail before taking any action to collect a medical debt; (ii) authorizing certain financial institution employees to temporarily delay certain financial transactions involving the suspected exploitation of an older person or vulnerable person (and setting forth certain liability exemptions); and (iii) authorizing an employee of a licensee to engage in the business of lending in the state at a remote location if authorized by the licensee and specific criteria are met (the Act also outlines prohibited conduct for persons working remotely). Remote work provisions apply to employees of a mortgage company, including mortgage loan originators, so long as the mortgage company provides authorization. The Act also exempts remote locations from certain mortgage transaction recordkeeping requirements, and instead stipulates that a mortgage company must “keep and maintain records of all mortgage transactions made by an employee at a remote location in accordance with the requirements established by the Commissioner of Mortgage Lending by regulation.”

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act.  The remaining provisions take effect October 1, 2023, and January 1, 2024.

    Licensing State Issues State Legislation Nevada

  • Nevada expands collection agency licensing requirements

    On June 16, the Nevada governor signed SB 276 (the “Act”) to revise certain provisions relating to debt collection agencies and make amendments to the state’s collection agency licensing law. While existing law requires collection agencies to be licensed, the amendments expand the type of activities that trigger collection agency licensure. Notably, the Act now requires any “debt buyer” to hold a license, which is defined as “a person who is regularly engaged in the business of purchasing claims that have been charged off for the purpose of collecting such claims, including, without limitation, by personally collecting claims, hiring a third party to collect claims or hiring an attorney to engage in litigation for the purpose of collecting claims.” Mortgage servicers, however, are now exempt unless the “mortgage servicer is attempting to collect a claim that was assigned when the relevant loan was in default.” The amendments also repeal provisions governing foreign collection agencies and now require that such agencies be licensed in the same fashion as domestic collection agencies.

    In addition to licensed mortgage servicers the amendments also exclude others from the definition of the term “collection agency,” including an expanded list of certain financial institutions (as well as their employees), persons collecting claims that they originated on their own behalf or originated and sold, and other persons not deemed to be debt collectors under federal law. The term “collection agent” has also been refined to exempt persons who do not act on behalf of a collection agency from requirements governing collection agents.

    The Act revises requirements relating to “compliance managers” (formerly referred to as “collection managers”) – including an avenue to request a waiver from the Nevada compliance manager examination requirement if certain experiential requirements are met – and makes changes to certain record retention and application requirements, including amendments to the frequency with which the commissioner reviews a licensee’s required bond amount (annually instead of semiannually). A provision requiring applicants to pursue branch licenses for second or remote locations is also repealed. Instead, collection agencies must simply notify the commissioner of the location of the branch office. Further, collection agencies are now required to display license numbers and certificate identification numbers of compliance managers on any website maintained by the collection agency.

    Additionally, the Act now authorizes collection agents to work remotely provided the agents meet certain criteria, including: (i) signing a written agreement prepared by the collection agency that requires the agent to maintain agency-appropriate security measures to ensure the confidentiality of customer information; (ii) refraining from disclosing details about the remote location to a debtor; (iii) refraining from conducting collection activity-related work with a debtor or customer in person at the remote location; (iv) allowing work conducted from the remote location to be monitored; and (v) completing various compliance and privacy training programs. Remote collection agents must adhere to certain practices requirements and restrictions set forth by both the Act and the FDCPA. Collection agencies must also maintain records of remote collection agents, provide oversight and monitoring of collection agents that work remotely, develop and implement a written security policy governing remote collection agents, and establish procedures to ensure collection agents working remotely are not acting in an illegal, unethical, or unsafe manner.

    Finally, the Act imposes new prohibitions against collection agencies and their agents and employees. Among other things, a collection agency (and its compliance manager, agents, or employees) is banned from suing to collect a debt when it knows or should have known that the applicable statute of limitations has expired. The amendments further clarify that the applicable limitation period is not revived upon “payment made on a debt or certain other activity relating to the debt after the time period for filing an action based on a debt has expired.” Certain notice must also be given to a medical debtor notifying that such a payment does not revive the applicable statute of limitations. A collection agency may also not sell “an interest in a resolved claim or any personal or financial information related to the resolved claim.”

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on October 1, 2023 for all other purposes. “Debt buyers” have until January 1, 2024 to submit a collection agency license application pursuant to the new provisions.

    Licensing State Issues State Legislation Nevada Student Loan Servicer Student Lending Consumer Finance NMLS

  • Connecticut joins states enacting commercial financing disclosures and lender and broker registration requirements

    State Issues

    On June 28, Connecticut became the latest state to require certain providers of sales-based commercial financing to provide disclosures to borrowers and that such providers and brokers register with the state. SB 1032 (the “Act”) defines “commercial financing” as any extension of sales-based financing by a provider in amounts of $250,000 or less, which the recipient does not intend to use primarily for personal, family, or household purposes. A “provider” is defined by the Act as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” “Sales-based financing” means a transaction that is repaid by the recipient to the provider over time (i) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the volume of sales made or revenue received by the recipient, or (ii) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue. The Act establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions.

    Under the Act, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the Act. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The Act also discusses conditions and criteria when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted. Providers may rely on a statement of intended purpose made by the “recipient” (defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider”) to determine whether the financing is commercial financing.

    Further, the Act provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Notably, there is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner, in addition to adhering to the prescribed disclosure requirements, no later than October 1, 2024.

    Finally, the banking commissioner is authorized to adopt regulations to carry out the Act’s provisions. Providers who violate the Act’s provisions, or any adopted regulations, will be subject to civil penalties. The commissioner may also seek injunctive relief against providers who knowingly violate any of the provisions.

    The Act takes effect July 1, 2024.

    State Issues State Legislation Connecticut Commercial Finance Disclosures Broker

Pages

Upcoming Events