InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Florida allows 60 - 90 day payday loan
On March 19, the Florida governor signed legislation, SB 920, which authorizes the lending of an additional type of payday loan (referred to as, “deferred presentment installment transaction”). The legislation now allows loans under $1,000 that have a repayment term between 60 and 90 days with maximum fees of 8 percent of the outstanding transaction balance charged on a biweekly basis. Fees must be calculated using a simple interest calculation. Previously, Florida only authorized small-dollar loans under $500 that had repayment terms between seven and 30 days (referred to as, “deferred presentment transaction[s]”).
The expansion of the allowable small-dollar loans, appears to be in response to the CFPB’s final rule addressing payday loans, vehicle titles loans, and certain other extensions of credit (previously covered in a Buckley Special Alert), which covers most transactions with repayment terms of less than 45 days. While the CFPB’s rule became effective on January 16, compliance for most of the rule’s provisions is not required until August 2019. Moreover, in January, the CFPB announced its plan to reconsider the final rule (covered by InfoBytes here).
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
Indiana amends financial services legislation, adds allowable charges
On March 13, the Indiana governor signed HB 1397 and SB 377, which make a variety of changes to various Indiana banking, consumer, and financial services laws administered by the state’s Department of Financial Institutions (DFI). Among other things, HB 1397 amends Indiana’s Universal Commercial Credit Code (UCCC) to codify current DFI practice, which allows for additional charges in connection with a consumer credit sale or loan, including charges for a skip-a-payment service ($25 maximum), an expedited payment service ($10 maximum), and a guaranteed asset protection agreement. The legislation also adds electronic funds transfers to the list of return payments that may be assessed a $25 charge. For payday loans, the legislation clarifies that a borrower, during the third consecutive loan or any subsequent consecutive loan, may request an extended payment plan if the rescission period has expired and the borrower has not previously defaulted on the outstanding loan. Indiana’s SB 377 allows for the director of DFI to use certain technology solutions to oversee compliance with and enforce state laws associated with the regulation of payday loans.
Both pieces of legislation are effective July 1.
Mississippi passes amendment concerning open-end credit finance charges
On March 15, the Mississippi governor signed House Bill 1338, which amends sections of the Mississippi Code by authorizing state chartered or domiciled banks that offer open-end credit to assess finance charges, credit service charges, and other fees and charges “at rates and amounts . . . that financial institutions domiciled in other states are permitted to impose and collect when extending credit to Mississippi customers. . . .” In doing so, the amendment strives to retain existing financial services within the state. The amendment takes effect July 1.
Multiple states address cost of security freezes
On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.
On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service.
Washington governor enacts amendment relating to security freeze fees
On March 13, the Washington governor signed Senate Bill 6018, which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily lifting, or removing a security freeze, or when assigning consumers unique personal identification numbers. Additionally, the offices of cybersecurity and privacy and data protection and the Attorney General’s office are instructed to work with stakeholders to evaluate the amendment’s impact on consumers and CRAs. A findings report must be submitted by December 1, 2020, and include data breach trends and recommendations by federal and state agencies. The amendment takes effect June 7.
Bipartisan group of state Attorneys General denounce potential limitations on state oversight of student loan industry
On March 15, a bipartisan group of 30 state Attorneys General released a letter urging Congress to reject Section 493E(d) of the Higher Education Act reauthorization – H.R. 4508, known as the “PROSPER Act” – which would prohibit states from “overseeing, licensing, or addressing certain state law violations by companies that originate, service, or collect on student loans.” Led by the New York and Colorado Attorneys General, the letter characterizes Section 493E(d) as an “an all-out assault on states’ rights and basic principles of federalism.” According to the letter, if enacted, parts of the student loan industry would be immunized from state-level enforcement, placing a larger consumer protection role on the Department of Education for which the agency is not equipped to handle. The Attorneys General assert that the states have the legal capacity and track record to enforce against abuses in the student loan market; citing to a statistic which estimates $1.38 trillion in student loan debt, the letter highlights previous state enforcement actions and emphasizes the need for states and the federal government to work together to protect U.S. borrowers.
In addition to Section 493E(d) of the PROSPER Act, the Department of Education recently published an interpretation in the Federal Register which takes the position that state regulation of certain federal student loan programs is preempted by federal law, previously covered by InfoBytes here.
Virginia governor enacts amendment relating to security freeze fees
On March 9, the governor of Virginia signed House Bill 1027, which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $10 to $5. Victims of identity theft remain exempt from the fee. The amendment takes effect July 1.
South Dakota amends money lending licenses statute
On March 1, the South Dakota governor signed H.B.1082, amending South Dakota’s money lending licenses statute. Pursuant to H.B. 1082, engagement in the “business of lending money,” for which a license is required, is expressly defined not to include engagement in: (i) “any seller-financed transaction for the sale of assets to a purchaser”; or (ii) “any seller-financed transaction for the sale of real estate through a contract for deed,” so long as the interest rate for such transactions does not exceed the rate permitted under S.D. Code Ann. § 54-4-44.
Nebraska, South Dakota enact legislation relating to security breaches and credit freezes
On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer reporting agency is then required to remove the freeze within three business days. Separately, on February 27, the governor signed House Bill 1127 (HB 1127) to revise certain provisions concerning fees charged for security freezes. Among other things, HB 1127 prohibits consumer reporting agencies from charging a fee for placing or removing a security freeze, and stipulates that a consumer reporting agency may advise a third party that a consumer’s credit report has been frozen.
On February 28, the governor of Nebraska approved Legislative Bill 757 strengthening certain provisions of the state’s Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. Among other things, the amendments state that (i) any individual or commercial entity in the state that possesses computerized data containing personal information of Nebraska residents must maintain reasonable security and disposal procedures and practices; (ii) nonaffiliated third-parties with access to personal information must also maintain reasonable security and disposal procedures; and (iii) consumer reporting agencies must provide services free-of-charge for the placement or removal of a credit security freeze. The legislation also outlines additional violations under which the Nebraska Attorney General can enforce protection of consumer privacy in the event of a data breach.