InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Nevada amends licensing and regulation provisions
On June 15, the Nevada governor signed SB 355 (the “Act”) to amend several provisions relating to existing state law, which provides for the licensure and regulation of various financial institutions by the Commissioner of Financial Institutions. Among other things, the Act prohibits the commissioner “from requiring an applicant for a license to establish a new depository institution to identify the physical address of the proposed depository institution in the application for the license.” Additionally, while the Act requires data collectors that own, license, or maintain personal information to provide notice to the state attorney general and certain other persons of certain breaches of security involving personal information, the amendments now exempt persons licensed to engage in the business of lending in Nevada from these requirements.
The Act sets forth numerous other provisions, including (i) removing the requirement that debt collection agencies notify a medical debtor via registered or certified mail before taking any action to collect a medical debt; (ii) authorizing certain financial institution employees to temporarily delay certain financial transactions involving the suspected exploitation of an older person or vulnerable person (and setting forth certain liability exemptions); and (iii) authorizing an employee of a licensee to engage in the business of lending in the state at a remote location if authorized by the licensee and specific criteria are met (the Act also outlines prohibited conduct for persons working remotely). Remote work provisions apply to employees of a mortgage company, including mortgage loan originators, so long as the mortgage company provides authorization. The Act also exempts remote locations from certain mortgage transaction recordkeeping requirements, and instead stipulates that a mortgage company must “keep and maintain records of all mortgage transactions made by an employee at a remote location in accordance with the requirements established by the Commissioner of Mortgage Lending by regulation.”
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act. The remaining provisions take effect October 1, 2023, and January 1, 2024.
Nevada expands collection agency licensing requirements
On June 16, the Nevada governor signed SB 276 (the “Act”) to revise certain provisions relating to debt collection agencies and make amendments to the state’s collection agency licensing law. While existing law requires collection agencies to be licensed, the amendments expand the type of activities that trigger collection agency licensure. Notably, the Act now requires any “debt buyer” to hold a license, which is defined as “a person who is regularly engaged in the business of purchasing claims that have been charged off for the purpose of collecting such claims, including, without limitation, by personally collecting claims, hiring a third party to collect claims or hiring an attorney to engage in litigation for the purpose of collecting claims.” Mortgage servicers, however, are now exempt unless the “mortgage servicer is attempting to collect a claim that was assigned when the relevant loan was in default.” The amendments also repeal provisions governing foreign collection agencies and now require that such agencies be licensed in the same fashion as domestic collection agencies.
In addition to licensed mortgage servicers the amendments also exclude others from the definition of the term “collection agency,” including an expanded list of certain financial institutions (as well as their employees), persons collecting claims that they originated on their own behalf or originated and sold, and other persons not deemed to be debt collectors under federal law. The term “collection agent” has also been refined to exempt persons who do not act on behalf of a collection agency from requirements governing collection agents.
The Act revises requirements relating to “compliance managers” (formerly referred to as “collection managers”) – including an avenue to request a waiver from the Nevada compliance manager examination requirement if certain experiential requirements are met – and makes changes to certain record retention and application requirements, including amendments to the frequency with which the commissioner reviews a licensee’s required bond amount (annually instead of semiannually). A provision requiring applicants to pursue branch licenses for second or remote locations is also repealed. Instead, collection agencies must simply notify the commissioner of the location of the branch office. Further, collection agencies are now required to display license numbers and certificate identification numbers of compliance managers on any website maintained by the collection agency.
Additionally, the Act now authorizes collection agents to work remotely provided the agents meet certain criteria, including: (i) signing a written agreement prepared by the collection agency that requires the agent to maintain agency-appropriate security measures to ensure the confidentiality of customer information; (ii) refraining from disclosing details about the remote location to a debtor; (iii) refraining from conducting collection activity-related work with a debtor or customer in person at the remote location; (iv) allowing work conducted from the remote location to be monitored; and (v) completing various compliance and privacy training programs. Remote collection agents must adhere to certain practices requirements and restrictions set forth by both the Act and the FDCPA. Collection agencies must also maintain records of remote collection agents, provide oversight and monitoring of collection agents that work remotely, develop and implement a written security policy governing remote collection agents, and establish procedures to ensure collection agents working remotely are not acting in an illegal, unethical, or unsafe manner.
Finally, the Act imposes new prohibitions against collection agencies and their agents and employees. Among other things, a collection agency (and its compliance manager, agents, or employees) is banned from suing to collect a debt when it knows or should have known that the applicable statute of limitations has expired. The amendments further clarify that the applicable limitation period is not revived upon “payment made on a debt or certain other activity relating to the debt after the time period for filing an action based on a debt has expired.” Certain notice must also be given to a medical debtor notifying that such a payment does not revive the applicable statute of limitations. A collection agency may also not sell “an interest in a resolved claim or any personal or financial information related to the resolved claim.”
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on October 1, 2023 for all other purposes. “Debt buyers” have until January 1, 2024 to submit a collection agency license application pursuant to the new provisions.
Connecticut joins states enacting commercial financing disclosures and lender and broker registration requirements
On June 28, Connecticut became the latest state to require certain providers of sales-based commercial financing to provide disclosures to borrowers and that such providers and brokers register with the state. SB 1032 (the “Act”) defines “commercial financing” as any extension of sales-based financing by a provider in amounts of $250,000 or less, which the recipient does not intend to use primarily for personal, family, or household purposes. A “provider” is defined by the Act as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” “Sales-based financing” means a transaction that is repaid by the recipient to the provider over time (i) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the volume of sales made or revenue received by the recipient, or (ii) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue. The Act establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions.
Under the Act, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the Act. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The Act also discusses conditions and criteria when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted. Providers may rely on a statement of intended purpose made by the “recipient” (defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider”) to determine whether the financing is commercial financing.
Further, the Act provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Notably, there is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner, in addition to adhering to the prescribed disclosure requirements, no later than October 1, 2024.
Finally, the banking commissioner is authorized to adopt regulations to carry out the Act’s provisions. Providers who violate the Act’s provisions, or any adopted regulations, will be subject to civil penalties. The commissioner may also seek injunctive relief against providers who knowingly violate any of the provisions.
The Act takes effect July 1, 2024.
Florida enacts commercial financing disclosure requirements
On June 23, the Florida governor signed HB 1353 (the “Act”), creating the Florida Commercial Financing Disclosure Law and imposing several requirements on commercial financing providers and brokers. The Act defines a “provider” as “a person who consummates more than five commercial financing transactions with a business located in [Florida] in any calendar year.” The definition “also includes a person who enters into a written agreement with a depository institution to arrange a commercial financing transaction between the depository institution and a business via an online lending platform administered by the person.” The Act clarifies, however, the “fact that a provider extends a specific offer for a commercial financing transaction on behalf of a depository institution may not be construed to mean that the provider engaged in lending or financing or originated that loan or financing.” A “commercial financing transaction” is defined broadly and means a secured or unsecured commercial loan, an account receivable purchase transaction, or a commercial open-end credit plan.
The Act establishes parameters for qualifying commercial transactions and outlines numerous exemptions, including federally insured depository institutions; transactions secured by real property, a lease, or a certain purchase money obligations; transactions of at least $50,000 where the recipient is a motor vehicle dealer or rental company (or an affiliate of such company); providers licensed as money transmitters in any state; and commercial financing transactions greater than $500,000.
Specifically, at or prior to consummation of a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the Act; (ii) outline the manner and frequency of the payments, including a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary; and (iii) disclose any costs or discounts associated with prepayment. Disclosures must be in writing and may be based on an example of a transaction that could occur under the agreement. The Act further specifies that only one disclosure is required for each commercial financing transaction. Subsequent disclosures are not required as a result of a modification, forbearance, or change to a consummated commercial financing transaction.
The Act also defined a “broker” as “a person who, for compensation or the expectation of compensation, arranges a commercial financing transaction or an offer between a third party and a business in [Florida] which would, if executed, be binding upon that third party.” The definition excludes “a provider and any individual or entity whose compensation is not based or dependent upon the terms of the specific commercial financing transaction obtained or offered.” In addition, the Act outlines prohibited conduct and establishes unique broker requirements. Specifically, a broker may not “[a]ssess, collect, or solicit an advance fee from a business to provide services as a broker” (a business may pay for actual services required to apply for a commercial financing transaction), and may not make any false or misleading representations when engaging in the offering or sale of its brokering services.
The Act explicitly prohibits a private right of action, but instead grants the Florida attorney general exclusive enforcement authority. The AG may seek fines of $500 per incident (not to exceed $20,000 for all aggregated violations). Fines will increase to $1,000 per incident (not to exceed $50,000 for all aggregated violations) for continued violations following receipt of written notice or a prior violation.
The Act takes effect on July 1.
Texas is most recent state to enact comprehensive privacy legislation
On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.
Highlights of the TDPSA include:
- Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
- Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.
The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.
Texas has new licensing requirements for digital-asset platforms
In June, the Texas governor signed HB 1666 (the “Act”) to add practice restrictions to digital asset service providers, defined as electronic platforms that facilitate the trading of digital assets on behalf of a digital asset customer and maintain custody of the customer’s digital assets. The Act applies to a digital asset service provider conducting business in Texas that holds a money transmission license and either services more than 500 digital asset customer in the state or has at least $10 million in customer funds. Digital asset service providers are required to comply with certain provisions in order to obtain and maintain a money transmission license including provisions relating to the commingling of funds, customer access to funds, accounting requirements, annual reporting requirements. The Texas Department of Banking has the authority to suspend and revoke a license if these requirements are not met and may impose a penalty for violations of the Act. The commissioner also has examination authority and may promulgate rules to administer and enforce the Act’s provisions. The Act is effective September 1. Certain financial institutions and entities not required to hold a money transmission license are exempt.
Louisiana amends virtual currency licensing
On June 13, the Louisiana governor signed SB 185 (the “Act”), which amends provisions relating to the regulation and licensure of virtual currency businesses and is effective immediately. The Act adds and amends several definitions, including “acting in concert,” “affiliate,” “blockchain,” “mining,” “non-fungible token,” “responsible individual,” “unsafe or unsound act or practice” “virtual currency business activity,” and “virtual currency network.” With respect to licensure, the Act now requires applicants to provide a copy of their business plan, detailing, among other things, the anticipated volume of virtual currency business activities in the state, the expected number of virtual currency locations (including kiosks) in the state, and information on surety bonds and tangible net worth. Applicants must also provide audited financial statements and certificates of coverage for each liability, casualty, business interruption, and cybersecurity insurance policies (applicable policies for affiliates, agents, and control persons are required as well) with respect to an applicant’s virtual currency business activities. The Act also adds numerous licensing conditions and includes new requirements relating to background checks/criminal records/character fitness and fees and costs. Applicants will now be required to provide their financial services-related regulatory history, including information concerning money transmission, securities, banking, insurance, and mortgage-related industries. The Act extended the time that the state’s office of financial institutions has after the completion of an application to notify an applicant of its decision from 30 days to 60 days. If the office denies a license application, an advanced change of control notice, or an advanced change of responsible individual notice, an applicant has 30 days to appeal. Information on submitting annual licensing renewal applications, as well as guidance on providing appropriate disclosures is also included.
Furthermore, the Act outlines provisions to protect residents’ assets, including prohibitions on selling, transferring, and assigning virtual currency and commingling assets belonging to a resident with assets belonging to a licensee. Also stipulated within the Act are authorities granted to the commission relating to examinations, investigations, and enforcement activity, as well as the authority to coordinate and share information and conduct joint examinations with other state regulators of virtual currency business activities.
Colorado amends GAP requirements
The Colorado governor recently signed HB 23-1181 (the “Act”) to codify and amend rules relating to guaranteed asset protection (GAP) agreements (designed to relieve “all or part of a consumer’s liability for the deficiency balance remaining, after the payment of all insurance proceeds,” upon the total loss of a consumer’s motor vehicle that served as collateral for a loan). In addition to adding new definitions and outlining exemptions, the Act also, among other things, (i) establishes conditions, notices, and provisions that must be included in order to offer, sell, provide or administer a GAP agreement in connection with a consumer finance agreement; (ii) establishes that the maximum fee that may be charged for a GAP agreement must not exceed four percent of the amount financed in the consumer credit transaction or $600, whichever amount is greater; (iii) provides that a creditor may contract for, charge, and receive only one GAP fee as part of an agreement regardless of the number of co-borrowers, co-signers, or guarantors; (iv) lays out the process for calculating a deficiency balance and how much a consumer is owed in the event of a total loss; (v) establishes requirements in the event a GAP agreement is cancelled; (vi) details when a consumer must submit a GAP agreement claim after a total loss; and (vii) prohibits the sale of a GAP agreement in specific circumstances.
The Act is effective January 1, 2024, and applies to GAP agreements entered into on or after this date.
Colorado bill amends student loan provisions and UCCC licensing renewal deadlines
On June 5, the Colorado governor signed SB 23-248 (the “Act”), which addresses consumer protection in certain credit transactions. Among other things, the bill amends, repeals, and adds sections around lender nomenclature in the Colorado Student Loan Equity Act. The Act defines the terms “private education creditor” and “creditor” as (i) “any person engaged in the business of making or extending private education credit obligation”; (ii) “a holder of a private education credit obligation”; or (iii) “a seller, lessor, lender, or person that makes or arranges a private education credit obligation and to whom the private education credit obligation is initially payable or the assignee of a creditor’s right to payment.” Several exemptions are outlined. The Act also establishes the term “refinanced” to mean when “an existing private education credit obligation is satisfied and replaced by a new private education credit obligation undertaken by the same consumer.” In subsequent sections, words like “lender” and “loan,” amongst other things, are replaced with the newly defined terms. The Act also amends certain provisions relating to Uniform Consumer Credit Code (UCCC) licensing renewal and fee due dates. Specifically, all supervised lender licensees must file for renewal and pay the appropriate renewal fees by July 1 annually, where previously the renewal due date was January 1 each year.
The Act takes effect the day after the expiration of the 90-day period following adjournment of the general assembly.
Texas enacts digital services bill to protect minors
On June 13, the Texas governor signed HB 18 to enact the Securing Children Online through Parental Empowerment (SCOPE) Act. The Act will require digital service providers to register a person’s age and, if the user is determined to be a minor (younger than 18 years of age), the provider is required to: (i) limit the collection of personal identifying information (PII) to what is reasonably necessary to provide the service; (ii) limit use of PII to the purpose for which it was collected; (iii) prevent the user from engaging in financial transactions through the digital service; (iv) prevent the user’s PII from being shared, disclosed, or sold; (v) not use the digital service to collect precise geolocation data on the user; or (vi) not use the digital service for targeted advertising. Digital service providers are also required to create tools for parents to control their minor children’s accounts and privacy settings and should reasonably attempt to limit advertising and algorithms that direct minors to harmful content.
SCOPE applies only to those who provide a digital service that enables minor users to socially interact with other users on the digital service and create, post, or share content. SCOPE outlines numerous exemptions, including exemptions for financial institutions, certain covered entities governed by the Health Insurance Portability and Accountability Act, certain persons subject to the Family Educational Rights and Privacy Act, and certain affiliates or subsidiaries of an internet service provider.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law (a violation of the Act is considered a deceptive act or practice). The Act takes effect September 1, 2024.