Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Covered entities in California are reminded that Section 1770 of the Consumer Legal Remedies Act requires persons offering or providing a consumer financial service or product to include certain language when making solicitations. As previously covered by InfoBytes, AB 1904 was enacted last year to amend Section 1770 of the Civil Code relating to unfair methods of competition and unfair or deceptive acts. The amended code prohibits a covered person or a service provider from engaging in unlawful, unfair, deceptive, or abusive acts or practices regarding a consumer financial product or service, such as: (i) misrepresenting the source, sponsorship, approval, or certification; (ii) advertising goods or services with the intent not to sell them as advertised; and (iii) making false or misleading statements of fact concerning reasons for, the existence of, or amounts of, price reductions. The amendments authorize the California Department of Financial Protection and Innovation to bring a civil action for a violation of the law, and make unlawful the failure to include certain information, including a prescribed disclosure, in a solicitation by a covered person, or an entity acting on behalf of a covered person, to a consumer for a consumer financial product or service. Specifically, Cal. Civ. Code § 1770(a)(28) requires covered persons to include the following language in solicitations:
- “The name of the covered person, and, if applicable, the entity acting on behalf of the covered person, and relevant contact information, including a mailing address and telephone number.”
- “The following disclosure statement in at least 18-point bold type and in the language in which the solicitation is drafted: ‘THIS IS AN ADVERTISEMENT. YOU ARE NOT REQUIRED TO MAKE ANY PAYMENT OR TAKE ANY OTHER ACTION IN RESPONSE TO THIS OFFER.’”
The requirements took effect at the beginning of the year.
On June 6, the Colorado governor signed HB 23-1229 (the “Act”) to amend the state’s Uniform Consumer Credit Code (UCCC). Specifically, Colorado has invoked its right under the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) to opt out of a provision that allows state-chartered banks to preempt state interest rates applicable to consumer credit transactions. Sections 521-523 of DIDMCA currently allow state-chartered banks to charge the interest allowed by the state where they are located, regardless of where the borrower is located and regardless of conflicting out-of-state law. Section 525, however, provides states with the authority to opt out of these sections.
Modifications to the UCCC impact requirements for alternative charges for loans not exceeding $1,000, and include the following changes:
- Reduces the permissible acquisition charge on the original loan or any refinanced loan from 10 to eight percent of the amount financed;
- Reduces permissible monthly installment account handling charges based on categories of the amount financed;
- Increases the minimum loan term from 90 days to six months;
- Removes the ability for a lender to charge a delinquency charge on a loan;
- Amends provisions relating to the conditions upon which an acquisition charge must be refunded to a consumer; and
- Limits the number of times a lender can refinance a consumer loan to once a year.
The amendments take effect July 1, 2024, and only apply to consumer credit transactions made after that date.
The Maryland governor recently signed HB 1150 (the “Act”), which subjects certain shared appreciation agreements (SAAs) to the Maryland Mortgage Lender Law. Under the Act, the term “loan” now “includes an advance made in accordance with the terms of a shared appreciation agreement.” An SAA is defined by the Act to mean “a writing evidencing a transaction or any option, future, or any other derivative between a person and a consumer where the consumer receives money or any other item of value in exchange for an interest or future interest in a dwelling or residential real estate, or a future obligation to repay a sum on the occurrence of [certain] events,” such as an ownership transfer, a repayment maturity date, a consumer’s death, or other events. The Act specifies that a loan is subject to the state’s mortgage lender law if the loan is an SAA and “allows a borrower to repay advances and have any repaid amounts subsequently readvanced to the borrower.”
Interim guidance released by the Maryland Commissioner of Financial Regulation further clarifies that SAAs are mortgage loans, and that those who offer SAAs to consumers in the state are required to obtain a Maryland mortgage lender licensing unless exempt. Under the Act, the commissioner will issue regulations addressing enforcement and compliance, including SAA disclosure requirements. The Act takes effect July 1. However, for SAA applications taken on or after July 1 (and until regulations are promulgated and effective), the commissioner will not cite a licensee for disclosure requirement violations, provided the licensee makes a good faith effort to give the applicant specified information within ten days of receiving an application. Licensees will be required to provide the information again at least 72 hours before settlement if the actual terms of the SAA differ from those provided in the initial disclosure.
On May 25, the Florida governor signed HB 761 (the “Act”) to clarify notice requirements relating to telephone and text message solicitations and to outline conditions under which certain civil actions may be brought. Specifically, the amendments provide that “unsolicited” telephone sales calls involving an automated system used to select and dial numbers or one that plays a recorded message cannot be made without the prior express written consent of the called party. Consent may now be obtained by a consumer “checking a box indicating consent or responding affirmatively to receiving text messages, to an advertising campaign, or to an e-mail solicitation.”
The Act also clarifies that before the commencement of a civil action for damages for text message solicitations, the called party must reply “STOP” to the number that sent the message. The called party may bring an action only if consent is not given and the telephone solicitor continues to send text messages 15 days after being told to cease. The new requirements apply to any suit filed on or after the Act’s immediate effective date, as well as to any putative class action not certified on or before the effective date of the Act. The Act became effective immediately.
Minnesota enacts small-dollar consumer lending and money transmitter amendments; Georgia and Nevada also enact money transmission provisions
On May 24, the Minnesota governor signed SF 2744 to amend several state statutes relating to financial institutions, including provisions concerning small-dollar, short-term consumer lending, payday lending, and money transmitter requirements. Changes to the statutes governing consumer small loans and consumer short-term loans amend the definition of “annual percentage rate” (APR) to include “all interest, finance charges, and fees,” as well as the definition of a “consumer short-term loan” to mean a loan with a principal amount or an advance on a credit limit of $1,300 (previously $1,000). The amendments outline certain prohibited actions and also cap the permissible APR on a loan at no more than 50 percent and stipulate that lenders are not permitted to add other charges or payments in connection with these loans. The changes apply to loans originated on or after January 1, 2024. The amendments also make several modifications to provisions relating to payday loans with APRs exceeding 36 percent, including requirements for conducting an ability to repay analysis. These provisions are effective January 1, 2024.
Several new provisions relating to the regulation and licensing of money transmitters are also outlined within the amendments. New definitions and exemptions are provided, as well implementation instructions that provide the state commissioner authority to “enter into agreements or relationships with other government officials or federal and state regulatory agencies and regulatory associations in order to (i) improve efficiencies and reduce regulatory burden by standardizing methods or procedures, and (ii) share resources, records, or related information obtained under this chapter.” The commissioner may also accept licensing, examination, or investigation reports, as well as audit reports, made by other state or federal government agencies. To efficiently minimize regulatory burden, the commissioner is authorized to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors (CSBS), the Money Transmitter Regulators Association, and others, for all licensees that hold licenses in the state of Minnesota and other states. Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The commissioner may also participate in joint examinations or investigations with other states.
With respect to the licensing provisions, the amendments state that a “person is prohibited from engaging in the business of money transmission, or advertising, soliciting, or representing that the person provides money transmission, unless the person is licensed under this chapter” or is a licensee’s authorized delegate or exempt. Licenses are not transferable or assignable. The commissioner may establish relationships or contracts with the Nationwide Multi-State Licensing System and Registry and participate in nationwide protocols for licensing cooperation and coordination among state regulators if the protocols are consistent with the outlined provisions. The amendments also outline numerous licensing application and renewal procedures including net worth and surety bond, as well as permissible investment requirements.
The same day, the Nevada governor signed AB 21 to revise certain provisions relating to the licensing and regulation of money transmitters in the state. The amendments generally revise and repeal various statutory provisions to establish a process for governing persons engaged in the business of money transmission that is modeled after the Model Money Transmission Modernization Act approved by the CSBS. Like Minnesota, the commissioner may participate in multistate supervisory processes and information sharing with other state and federal regulators. The commissioner also has expanded examination and enforcement authority over licensees. The Act is effective July 1.
Additionally, the Georgia governor signed HB 55 earlier in May to amend provisions relating to the licensing of money transmitters (and to merge provisions related to licensing of sellers of payment instruments). The Act addresses licensee requirements and prohibited activities, outlines exemptions, and provides that applications pending as of July 1, “for a seller of payment instruments license shall be deemed to be an application for a money transmitter license as of that date.” Notably, should a license be suspended, revoked, surrendered, or expired, the licensee must, “within five business days, provide documentation to the department demonstrating that the licensee has notified all applicable authorized agents whose names are on record with the department of the suspension, revocation, surrender, or expiration of the license.” The Act is also effective July 1.
On May 19, the Arizona governor signed HB 2010 to amend certain sections of the Arizona revised statutes relating to the Department of Insurance and Financial Institutions. Amendments make changes to several licensing provisions, including the length of time a license remains active and licensure renewal requirements. The Act provides that on or before June 30 of each year, a licensee may renew each license without investigation by paying prescribed fees. Other revisions amend accounting practices and record retention requirements for mortgage brokers, mortgage bankers, and commercial mortgage bankers, among others. HB 2010 is effective 90 days after enactment.
The Iowa governor recently signed HF 675 to revise certain provisions of the Uniform Money Transmission Modernization Act. The Act is designed to eliminate unnecessary regulatory burden and harmonize the licensing and regulation of money transmitters with other states. Among other things, the Act defines terms for when a state money services business (MSB) license is required and adds a process for joint multistate examination and supervision of MSB licensees. The Act also outlines several exemptions, including federally insured depository institutions and certain persons appointed as an agent of a payee who collect and process payments from a payor to the payee for goods or services (other than money transmission itself).
With respect to licensing provisions, the Act states that a person shall not engage in the business of money transmission unless they are licensed. New provisions modify the licensing process, including by requiring that applications be approved 121 days after completion, unless denied or approved earlier by the superintendent. The license will take effect the first business day after expiration of the 120-day period (although the superintendent may for good cause extend the application period). The Act also outlines licensing application renewal procedures, requirements for maintaining licensure, processes for person(s) seeking to acquire control of a licensee or seeking to change key individuals, authorized delegate provisions, net worth and surety bond criteria, permissible investments, and reporting and financial condition requirements, among other criteria. The Act further specifies that a person who engages in the business of money transmission on behalf of a person not licensed under the chapter “provides money transmission to the same extent as if the person were a licensee, and shall be jointly and severally liable with the unlicensed or nonexempt person.” The Act takes effect July 1.
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:
- Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
- Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.
The CDPA takes effect October 1, 2024.
On May 1, the Georgia governor signed SB 90 to, among other things, require disclosures in connection with commercial financing transactions of $500,000 or less. The amendments modify the existing state Fair Business Practices Act and apply to “commercial loans” and “commercial open-end credit plans.” The amendments define a “provider” as “a person who consummates more than five commercial financing transactions in this state during any calendar year and includes, but is not limited to, a person who, under a written agreement with a depository institution, offers one or more commercial financing products provided by the depository institution via an online platform that the person administers.” The amendments also establish parameters for qualifying commercial transactions and outline numerous exemptions. Specifically, prior to consummating a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the amendments, and (ii) include a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary. The provisions apply to any commercial financing transaction consummated on or after January 1, 2024. The amendments also address unfair or deceptive practices relating to brokerage engagements and is effective January 1, 2024.
On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, and Indiana. TIPA applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Tennessee residents or (ii) controls or processes personal data of at least 25,000 Tennessee residents and derives 50 percent of gross revenue from the sale of personal data. TIPA provides for several exemptions, including financial institutions and data governed by the Gramm-Leach-Bliley Act and certain other federal laws, as well as covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of TIPA include:
- Consumers’ rights. Under TIPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; request what categories of information were sold or disclosed; and opt out of the sale of their data.
- Controllers’ responsibilities. Data controllers under TIPA will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) not processing data for reasons incompatible with the specified purpose; (v) securing personal data from unauthorized access; (vi) not processing data in violation of state or federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (ix) providing clear and meaningful privacy notices. TIPA also sets forth obligations relating to contracts between a controller and a processor.
- No private right of action but enforcement by state attorney general. TIPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of up to $15,000 per violation and treble damages for willful or knowing violations. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of TIPA, the attorney general must give the data controller written notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit.
- Affirmative defense. TIPA establishes an affirmative defense for violations for controllers and processors that adopt a privacy program “that reasonably conforms” to the National Institute of Standards and Technology Privacy Framework and complies with required provisions. Failing “to maintain a privacy program that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy” will be considered an unfair and deceptive act or practice under Tennessee law.
TIPA takes effect July 1, 2024.