InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Tennessee amends caller ID law
On April 22, Tennessee enacted HB 2504 (the “Act”), which amends the Tennessee Consumer Protection Act of 1977 to specify that it is illegal for: (i) “[a] person, in connection with a telecommunications service or an interconnected VoIP service, to knowingly cause any caller identification service to transmit misleading or inaccurate caller identification information to a subscriber with the intent to defraud or cause harm to another person or to wrongfully obtain anything of value”; and (ii) “[a] person, on behalf of a debt collector or inbound telemarketer service, to knowingly cause any caller identification service to transmit misleading or inaccurate caller identification information, including caller identification information that does not match the area code of the person or the debt collector or inbound telemarketer service the person is calling on behalf of, or that is not a toll-free phone number, to a subscriber with the intent to induce the subscriber to answer.”
The Act is effective on July 1.
CFPB publishes the mortgage servicer edition of its Supervisory Highlights
On April 24, the CFPB published its 33rd edition of its Supervisory Highlights which covers select examinations and violations regarding mortgage servicing from April 1, 2023, through December 31, 2023. This edition of Supervisory Highlights focused on alleged violations of law identified in CFPB examinations including (i) charging illegal junk fees including impermissible property inspection and late fees; (ii) UDAAP violations; and (iii) violations of Regulation X loss mitigation requirements. The Bureau made clear in its press release that it plans to continue its focus on combatting junk fees within and beyond the mortgage servicing space.
The CFPB highlighted several violations of law resulting from mortgage servicers’ payment processing practices including the charging of property inspection fees in connection with certain Fannie Mae loans in violation of investor guidelines. To rectify this, servicers addressed system errors causing the fees in question, enhanced oversight, and were instructed to compensate affected borrowers. Other payment processing-related violations identified by the Bureau included failure to adequately describe fees in periodic statements by using the term “service fee” to describe 18 different fee-types, and failure to make timely disbursements from escrow accounts in violation of Regulation X.
The Bureau also identified unfair practices relating to the charging of late fees in excess of the amount authorized in the loan agreement or after consumers had entered into loss mitigation agreements, which should have prevented late fees. Servicers identified as having engaged in such violations were required to refund the fees to consumers and improve internal processes in response to the findings.
The CFPB also identified violations of law relating to loss mitigation and loan modifications. Examiners noted that some servicers failed to provide a written notice confirming the receipt of loss mitigation applications and informing consumers of whether the application was complete or incomplete. Further, some servicers failed to provide timely and complete notices of loss mitigation options. Additionally, some servicers, in violation of Regulation X, failed wo waive existing fees after borrowers had accepted Covid-19 hardship loan modifications.
Examiners also found that certain servicers committed deceptive practices by sending out delinquency notices incorrectly stating that consumers had missed payments and needed to apply for loss mitigation when those consumers were actually up to date on their payments, enrolled in trial modification plans, or had inactive loans (such as those already paid off or in the process of a short sale).
Finally, the Bureau identified violations of law relating to (i) live contact and early intervention requirements in connection with delinquency and (ii) failure to retain adequate records.
Tennessee prevents lenders from discriminating against specific factors
On April 22, the Governor of Tennessee signed into law HB 2100 (the “Act”) which amended the state consumer protection codes to prevent financial institutions and insurers (collectively, institutions) from discriminating in the provision or denial of services based on certain enumerated factors. Specifically, institutions will not be allowed to discriminate based on, among others: (i) a person’s political opinions, speech, or affiliations; (ii) a person’s religious beliefs, exercise, or affiliations; (iii) any factor that is not a quantitative, impartial and risk-based standard; or (iv) a “social credit score” that is based on certain identified factors, including the lawful ownership of a firearm, engagement in fossil fuel-related business, support of the state or federal government’s efforts to combat illegal immigration, or a person’s failure to meet environmental, social governance, corporate board composition, social justice, or diversity, equity, and inclusion standards so long as the person is in compliance with applicable state or federal law. The Act provides that engaging in the prohibited forms of discrimination constitutes an unfair trade practice. The Act will go into effect on July 1.
New York AG settles with bank over EIPA violations
On April 17, the New York attorney general (AG) announced a settlement with a bank (respondent) to resolve allegations that respondent improperly froze customer accounts and paid out consumer funds to debt collectors, and failed to properly oversee its service providers engaging in similar activity, in violation of the Exempt Income Protection Act (EIPA). The EIPA requires that banks, among other things, “not restrain consumers’ use of statutorily exempt funds, such as social security benefits, veterans benefits, and disability insurance… in consumers’ bank accounts up to an amount set every three years by New York’s Department of Financial Services.” New York law also bars debt collectors from acquiring funds that include certain government benefits.
According to the settlement, respondent typically employs the assistance of specific third-party servicer providers to market and deliver banking products like debit cards, prepaid cards, payroll cards, or gift cards to consumers while respondent holds the funds loaded onto those cards. Servicer providers administer the program and interact with consumers, including by clearing transactions through a network processor approved by respondent, and generally handling transaction disputes and preparing account statements, while respondent oversees and monitors the program and the service provider while retaining full control of the funds. The AG claimed that respondents failed to ensure its servicer providers complied with the EIPA, and that on numerous occasions, servicer providers allegedly froze accounts holding exempt funds or accounts with balances below legal thresholds, then paid debt collectors with the frozen funds under the instruction of respondent.
According to the AG, respondent’s servicer providers also engaged in deceptive acts and practices by allegedly falsely labeling legal processes as “court orders” instead of documents from debt collectors. Respondents also allegedly provided false information that account freezes could not be lifted even when account balances were below legal thresholds, and falsely claiming only debt collectors could release the freeze. Additionally, servicer providers allegedly directed consumers to debt collectors who often sought deals to release account freezes for a portion of the account balance, despite the freezes being void and subject to the protected wage threshold.
Under the terms of the settlement, respondent will refund $79,664 plus interest to approximately 88 New Yorkers whose funds were wrongfully turned over to debt collectors and amend its policies and procedures. Respondent must also pay a civil money penalty of $627,000, and comply with ongoing monitoring and compliance requirements.
FTC report to Congress suggests legislative enhancements on consumer protection
On April 10, the FTC issued a report addressed to Congress detailing its efforts to collaborate with state attorneys general (AGs) from across the U.S. on consumer protection law enforcement goals. The report, titled “Working Together to Protect Consumers: A Study and Recommendations on FTC Collaboration with the State Attorneys General,” was issued pursuant to the FTC Collaboration Act of 2021 and included legislative recommendations to enhance the FTC’s consumer protection efforts. The report followed a request for information issued by the FTC in June 2023, seeking public comments on how the FTC might improve collaboration with state AGs to protect consumers from fraud and ensure fairness in the marketplace.
The FTC's report was divided into three main sections:
- The first section outlined the existing collaborative practices between the FTC and state AGs, detailing their shared roles in combating frauds and scams, the respective law enforcement authority of the FTC and the AGs, and the ways federal and state enforcers can share the information they gather, including through networks such as the Consumer Sentinel Network consumer complaint database.
- The second section described best practices to ensure effective collaboration between the FTC and state AGs, including strong information-sharing practices and coordination of enforcement actions. It also suggested ways to expand the sharing of technical resources and expertise between federal and state agencies.
- The third section provided legislative recommendations aimed at improving collaboration efforts by providing the FTC with clearer authority to pursue legal actions. This section emphasized a request for Congress to restore the FTC’s authority to seek monetary refunds for consumers who have been defrauded, following a 2021 U.S. Supreme Court decision holding that such relief was not available to the Commission (covered by InfoBytes here). Additionally, this section suggested giving the FTC independent authority to seek civil penalties and clear authority to take legal action against facilitators of unfair or deceptive practices.
In its report to Congress, the FTC emphasized the importance of a collaborative approach to consumer protection among enforcement agencies and states, continuing to seek ways to strengthen its ties with state AGs to address future challenges.
CFPB focuses on in-game video game market and its consumer protection issues
On April 4, the CFPB released a report titled “Banking in video games and virtual worlds” that examined the gaming industry and the consumer financial systems that affect it. The Bureau’s report identified three key findings: (i) a network of financial products and services has entered the gaming industry to leverage and support the transfer of gaming assets and currency; (ii) the increased value of these assets has led to an increase of hacking attempts, account theft, scams, and unauthorized transactions; and (iii) the consumer data collected by gaming companies was bought, sold, and traded between companies, which can pose a risk to gaming customers. As a result, the CFPB will intend to monitor these issues in gaming and other such non-traditional markets to ensure companies comply with federal consumer financial protection laws.
The report noted that the proliferation of gaming and the evolution of the industry to offering in-game purchases and gaming assets has created the need for an infrastructure to enable fiat currency to flow into and out of games and virtual worlds. This can include transactions within the game, trading virtual items with other players, buying products on secondary markets, converting gaming assets to traditional currency, withdrawals of that currency, and/or using third parties to convert and withdraw the currency. As a result, companies have established financial products and services that increasingly resemble traditional financial products, like loans, payment processing, and money transmission.
In addition to the gaming economy creating a relatively new and unregulated financial marketplace, the Bureau identified additional risks similar to those found in the traditional market surrounding fraud, identity theft, money laundering, and privacy. For example, the report noted that these highly valuable gaming assets have made player accounts vulnerable to phishing and hacking attempts as well as unauthorized transactions. However, efforts by the FTC or CFPB to address complaints related to this activity have been met with a “buyer beware” approach by gaming companies.
Further, gaming companies collect a significant amount of data on players as a way to personalize the experience. However, the companies use this data to monetize gameplay to entice more spending as well as buy, sell and trade this data. The report noted that (i) the use of personal data can result in highly individualized pricing and (ii) the storage and transfer of consumer data poses privacy risks for gamers. In light of these various issues, the CFPB plans to work with other agencies to monitor both these non-traditional financial products and services as well as the companies that collect and sell sensitive consumer data.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
Washington enacts SB 6025 addressing certain lending practices
On March 25, the Governor of the State of Washington signed SB 6025 (the "Act”) into law. The Act would prohibit covered entities from (i) making loans disguised as personal property sale or leaseback transactions; (ii) offering cash rebates as a cover for installment sales; or (iii) making loans with interest rates or charges surpassing legal limits, among other things. The Act also amended portions of Washington State’s Consumer Loan Act (CLA). The Act would provide that non-bank services companies may be lenders under the CLA if such company would hold the “predominate interest in the loan” or “totality of the circumstances indicate that the [company] is the lender.” These changes will go into effect on June 6.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.
Wisconsin enacts SB 628 to protect vulnerable adults
On March 22, the Governor of Wisconsin signed SB 628 (the “Act”), which “allows financial service providers to refuse or delay financial transactions when financial exploitation of a vulnerable adult is suspected.”
The Act would authorize financial service providers to refuse or postpone financial transactions on accounts held by or benefiting a vulnerable adult—a term defined as “an adult at risk or an individual who is at least 65 years of age”—if there is a reasonable suspicion of financial exploitation. The Act would not mandate covered financial service providers, which included financial institutions, mortgage bankers, brokers, and loan originators, among others, to take such action. Additionally, financial service providers were allowed, but not obligated, to act on information from elder-adult-at-risk agencies, adult-at-risk agencies, or law enforcement regarding potential financial exploitation. The Act mandated that financial service providers give notice when transactions are refused or delayed and defined the time limits for such actions. It also permitted financial service providers to refuse to accept a power of attorney if financial exploitation is suspected. Moreover, the Act outlined a procedure for financial service providers to compile a list of contacts that a vulnerable adult authorizes, which can be used if exploitation is suspected, and authorized the financial service provider to share its suspicions with designated individuals, including those on the list. Financial service providers acting in good faith would be granted immunity from any criminal, civil, or administrative liability for actions such as (i) refusing or not refusing a financial transaction; (ii) refusing to accept or accepting a power of attorney; (iii) contacting or not contacting a person to convey suspicion of financial exploitation; and (iv) any action based on a reasonable determination related to these measures. The Act went into effect on March 23.