InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Alabama enacts data breach notification law
On March 28, the Alabama governor signed SB 318, The Alabama Data Breach Notification Act of 2018 (Act), which requires entities doing business in the state to (i) notify consumers within 45 days if their personal data has been compromised in a data breach; and (ii) notify the state Attorney General and consumer reporting agencies if more than 1,000 individuals have been impacted. The Act also states that third-party agents, entities that have been contracted to maintain, store, process, or otherwise access sensitive personally identifying information in connection with providing services to a covered entity, are required to notify the covered entity of a breach of security “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” Additionally, the Act gives the state Attorney General authority to prosecute a failure to disclose a data breach as an unlawful act or practice under the Alabama Deceptive Trade Practices Act, which can result in daily penalties of up to $5,000 per violation. However, entities that follow the notice requirements of industry-specific state or federal laws or regulations are exempt from the Alabama legislation. The law is effective June 1.
Florida enacts legislation prohibiting the misrepresentation of a residential mortgage loan as a business purpose loan
On March 21, the Florida governor signed HB 935, which prohibits the misrepresentation of a residential mortgage loan as a business purpose loan. HB 935 defines “business purpose loan” and requires that “a person must refer to the official interpretation” of the CFPB under 12 C.F. R. Section 1026.3(a) to determine if a loan is for a “business purpose.” It also provides penalties for knowingly or willfully misrepresenting a residential mortgage loan as a business purpose loan. Additionally, HB 935 defines the phrase “hold himself or herself out to the public as being in the mortgage lending business” to include representing to the public through advertisements or solicitations that the individual or business is a licensed mortgage lender. The law is effective July 1.
Nebraska enacts legislation amending certain provisions related to the recording of real property interests
On March 21, the Nebraska governor signed Legislative Bill 750 (LB 750), which amends and clarifies provisions related to the rights and responsibilities of secured creditors and the recording of real property interests. Among other things, LB 750 addresses (i) recording requirements for licensed mortgage bankers and (ii) the liability of a secured creditor that fails to timely record a deed of reconveyance or a release of mortgage when the obligation has been satisfied and a written request to record it has been received from the trustor, mortgagor or grantor. It also provides that “the transfer of any debt secured by a mortgage shall also operate as a transfer of a security of such debt.” The bill takes effect July 18.
Arizona creates first state regulatory sandbox for fintech innovation
On March 22, the Governor of Arizona signed HB 2434, which creates the first state “sandbox” program for companies to test innovative financial products or services without certain regulatory requirements. Arizona’s Regulatory Sandbox Program (RSP) will be administered by the state Attorney General and requires, among other things, that applicants describe the innovation desired to be tested, including an explanation of potential benefits and risks to consumers. Within 90 days, the Attorney General will notify the applicant if they are approved for the program. Details of the RSP program include a window of 24 months to test the product, requirements for seeking extensions to that time limit, a cap on the number of individuals who may participate in testing a product, and required disclosures to consumers. Participants are required to retain records and documents produced in the normal court of business for their product, and the Attorney General is allowed to seek those records and to establish regular reporting requirements. The RSP also places additional restrictions on certain participants, including consumer lenders and money transmitters, and requires compliance with Arizona consumer financial laws and all statutory limits and caps related to financial transactions.
The RSP is effective on April 26 and terminates on July 1, 2028.
Tennessee amends interest rate legislation
On March 23, the Governor of Tennessee signed HB 1944, which amends lending provisions of the Tennessee Code Annotated to change the application of interest rates to the amount financed instead of the total amount of the loan with regard to certain loans made by Tennessee industrial loan and thrift companies. The following interest rate requirements under present Tennessee law now apply to the amount financed: (i) under $100, no interest shall be charged on the principal or on the unpaid balance due after maturity in excess of a maximum effective rate of 18 percent per annum; (ii) between $100 and $5,000, no interest shall be charged on the principal or on the unpaid balance due after maturity in excess of a maximum effective rate of 30 percent per annum; (iii) greater than $5,000, no interest shall be charged on the principal or on the unpaid balance due after maturity in excess of a maximum effective rate of 24 percent per annum; and (iv) for open-end credit plans, a maximum effective rate of 24 percent per annum applies to the principal or on the unpaid balance due after maturity. HB 1944 is effective immediately and applies to loans made on or after March 23.
Multiple states update security freeze legislation
On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.
On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.
Idaho enacts legislation modifying certain motor vehicle service contract provisions
On March 19, the Idaho governor signed HB 521, which updates a section of the Idaho Code pertaining to the “Idaho Motor Vehicle Service Contract Act” (the Act) to, among other things, “provide[] for state of Idaho regulation of motor vehicle service contracts.” HB 521 also modifies certain provisions surrounding motor vehicle service contracts by (i) clarifying the definition of a service contract; (ii) providing for service contract reimbursement policy requirements; (iii) setting forth rules associated with the sale of service contracts; (iv) specifying recordkeeping requirements; (v) providing for licensing; (vi) stipulating violation penalties; and (vii) noting that the legislation does not preclude a cause of action under the Idaho Consumer Protection Act. Furthermore, HB 521 notes that the “Idaho Insurance Guaranty Association Act shall not apply to any motor vehicle service contract, mechanical breakdown insurance or motor vehicle service contract liability insurance policy.” The Act is effective July 1.
Florida updates installment loan repayment terms and allowable delinquency charges
On March 19, the Florida governor signed SB 386, which amends Florida’s consumer finance law to remove the requirement that installment payments must be made monthly, and updates the allowable charges for delinquencies. Specifically, SB 386 now allows equal, periodic installment loan payments to be made every two weeks, semimonthly, or monthly. This provision does not apply to lines of credit. Additionally, SB 386 provides that a delinquency charge for a payment in default may not exceed $15 for payments due monthly; $7.50 for payments due semimonthly; and $7.50 or $5.00 for payments due every two weeks, depending on the number of payments due within a calendar month. The law is effective July 1.
Florida allows 60 - 90 day payday loan
On March 19, the Florida governor signed legislation, SB 920, which authorizes the lending of an additional type of payday loan (referred to as, “deferred presentment installment transaction”). The legislation now allows loans under $1,000 that have a repayment term between 60 and 90 days with maximum fees of 8 percent of the outstanding transaction balance charged on a biweekly basis. Fees must be calculated using a simple interest calculation. Previously, Florida only authorized small-dollar loans under $500 that had repayment terms between seven and 30 days (referred to as, “deferred presentment transaction[s]”).
The expansion of the allowable small-dollar loans, appears to be in response to the CFPB’s final rule addressing payday loans, vehicle titles loans, and certain other extensions of credit (previously covered in a Buckley Special Alert), which covers most transactions with repayment terms of less than 45 days. While the CFPB’s rule became effective on January 16, compliance for most of the rule’s provisions is not required until August 2019. Moreover, in January, the CFPB announced its plan to reconsider the final rule (covered by InfoBytes here).
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).