Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC report to Congress suggests legislative enhancements on consumer protection

    Federal Issues

    On April 10, the FTC issued a report addressed to Congress detailing its efforts to collaborate with state attorneys general (AGs) from across the U.S. on consumer protection law enforcement goals. The report, titled “Working Together to Protect Consumers: A Study and Recommendations on FTC Collaboration with the State Attorneys General,” was issued pursuant to the FTC Collaboration Act of 2021 and included legislative recommendations to enhance the FTC’s consumer protection efforts. The report followed a request for information issued by the FTC in June 2023, seeking public comments on how the FTC might improve collaboration with state AGs to protect consumers from fraud and ensure fairness in the marketplace.

    The FTC's report was divided into three main sections:

    1. The first section outlined the existing collaborative practices between the FTC and state AGs, detailing their shared roles in combating frauds and scams, the respective law enforcement authority of the FTC and the AGs, and the ways federal and state enforcers can share the information they gather, including through networks such as the Consumer Sentinel Network consumer complaint database.
    2. The second section described best practices to ensure effective collaboration between the FTC and state AGs, including strong information-sharing practices and coordination of enforcement actions. It also suggested ways to expand the sharing of technical resources and expertise between federal and state agencies.
    3. The third section provided legislative recommendations aimed at improving collaboration efforts by providing the FTC with clearer authority to pursue legal actions. This section emphasized a request for Congress to restore the FTC’s authority to seek monetary refunds for consumers who have been defrauded, following a 2021 U.S. Supreme Court decision holding that such relief was not available to the Commission (covered by InfoBytes here). Additionally, this section suggested giving the FTC independent authority to seek civil penalties and clear authority to take legal action against facilitators of unfair or deceptive practices.

    In its report to Congress, the FTC emphasized the importance of a collaborative approach to consumer protection among enforcement agencies and states, continuing to seek ways to strengthen its ties with state AGs to address future challenges.

    Federal Issues FTC Congress State Attorney General Consumer Protection

  • CFPB focuses on in-game video game market and its consumer protection issues

    Federal Issues

    On April 4, the CFPB released a report titled “Banking in video games and virtual worlds” that examined the gaming industry and the consumer financial systems that affect it. The Bureau’s report identified three key findings: (i) a network of financial products and services has entered the gaming industry to leverage and support the transfer of gaming assets and currency; (ii) the increased value of these assets has led to an increase of hacking attempts, account theft, scams, and unauthorized transactions; and (iii) the consumer data collected by gaming companies was bought, sold, and traded between companies, which can pose a risk to gaming customers. As a result, the CFPB will intend to monitor these issues in gaming and other such non-traditional markets to ensure companies comply with federal consumer financial protection laws.

    The report noted that the proliferation of gaming and the evolution of the industry to offering in-game purchases and gaming assets has created the need for an infrastructure to enable fiat currency to flow into and out of games and virtual worlds. This can include transactions within the game, trading virtual items with other players, buying products on secondary markets, converting gaming assets to traditional currency, withdrawals of that currency, and/or using third parties to convert and withdraw the currency. As a result, companies have established financial products and services that increasingly resemble traditional financial products, like loans, payment processing, and money transmission. 

    In addition to the gaming economy creating a relatively new and unregulated financial marketplace, the Bureau identified additional risks similar to those found in the traditional market surrounding fraud, identity theft, money laundering, and privacy. For example, the report noted that these highly valuable gaming assets have made player accounts vulnerable to phishing and hacking attempts as well as unauthorized transactions. However, efforts by the FTC or CFPB to address complaints related to this activity have been met with a “buyer beware” approach by gaming companies. 

    Further, gaming companies collect a significant amount of data on players as a way to personalize the experience.  However, the companies use this data to monetize gameplay to entice more spending as well as buy, sell and trade this data. The report noted that (i) the use of personal data can result in highly individualized pricing and (ii) the storage and transfer of consumer data poses privacy risks for gamers. In light of these various issues, the CFPB plans to work with other agencies to monitor both these non-traditional financial products and services as well as the companies that collect and sell sensitive consumer data.

    Federal Issues CFPB Consumer Protection Video Games Digital Wallets

  • Kentucky enacts a comprehensive data privacy law for controllers

    Privacy, Cyber Risk & Data Security

    On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.

    The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.

    The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.

    Privacy, Cyber Risk & Data Security State Issues Kentucky Consumer Protection Gramm-Leach-Bliley

  • Washington enacts SB 6025 addressing certain lending practices

    State Issues

    On March 25, the Governor of the State of Washington signed SB 6025 (the "Act”) into law. The Act would prohibit covered entities from (i) making loans disguised as personal property sale or leaseback transactions; (ii) offering cash rebates as a cover for installment sales; or (iii) making loans with interest rates or charges surpassing legal limits, among other things. The Act also amended portions of Washington State’s Consumer Loan Act (CLA). The Act would provide that non-bank services companies may be lenders under the CLA if such company would hold the “predominate interest in the loan” or “totality of the circumstances indicate that the [company] is the lender.” These changes will go into effect on June 6.

    State Issues Washington State Legislation Consumer Finance Consumer Protection

  • New Hampshire enacts SB 255, a comprehensive consumer privacy bill

    State Issues

    Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.

    The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.

    The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability.  Consumers will also be protected against discrimination for exercising any of the above rights.

    The Act contained controller responsibilities, including:

    • Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
    • not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
    • Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
    • Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
    • Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
    • Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

    The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.

    The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.

    State Issues Privacy, Cyber Risk & Data Security New Hampshire State Legislation Consumer Protection

  • Wisconsin enacts SB 628 to protect vulnerable adults

    State Issues

    On March 22, the Governor of Wisconsin signed SB 628 (the “Act”), which “allows financial service providers to refuse or delay financial transactions when financial exploitation of a vulnerable adult is suspected.”

    The Act would authorize financial service providers to refuse or postpone financial transactions on accounts held by or benefiting a vulnerable adult—a term defined as “an adult at risk or an individual who is at least 65 years of age”—if there is a reasonable suspicion of financial exploitation. The Act would not mandate covered financial service providers, which included financial institutions, mortgage bankers, brokers, and loan originators, among others, to take such action. Additionally, financial service providers were allowed, but not obligated, to act on information from elder-adult-at-risk agencies, adult-at-risk agencies, or law enforcement regarding potential financial exploitation. The Act mandated that financial service providers give notice when transactions are refused or delayed and defined the time limits for such actions. It also permitted financial service providers to refuse to accept a power of attorney if financial exploitation is suspected. Moreover, the Act outlined a procedure for financial service providers to compile a list of contacts that a vulnerable adult authorizes, which can be used if exploitation is suspected, and authorized the financial service provider to share its suspicions with designated individuals, including those on the list. Financial service providers acting in good faith would be granted immunity from any criminal, civil, or administrative liability for actions such as (i) refusing or not refusing a financial transaction; (ii) refusing to accept or accepting a power of attorney; (iii) contacting or not contacting a person to convey suspicion of financial exploitation; and (iv) any action based on a reasonable determination related to these measures. The Act went into effect on March 23. 

    State Issues Wisconsin Consumer Protection State Legislation

  • Trade groups sue Colorado Attorney General to block enforcement of law limiting out-of-state bank charges on consumer credit


    On March 25, three trade groups filed a lawsuit in the U.S. District Court for the District of Colorado, against the Colorado Attorney General and the Administrator of the Colorado Uniform Consumer Credit Code to prevent enforcement of Section 3 of House Bill 23-1229, which was signed into law last year to limit out-of-state bank charges on consumer credit (the “Act”). As previously covered by InfoBytes, the Act amended the state’s Uniform Consumer Credit Code to opt out of the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) provision that allowed state-chartered banks to charge the interest allowed by the state where they are located, regardless of the location of the borrower and regardless of conflicting out-of-state law. The Act would go into effect on July 1. 

    According to the complaint, the Act “far exceed[s]” the authority Congress granted Colorado under DIDMCA and would be deemed “invalid on its face.” Plaintiffs alleged that Colorado ignored the federal definition of where a loan was deemed to be “made,” imposing “its state interest-rate caps on any ‘consumer credit transaction[] in’ Colorado,” including “any loan to a Colorado consumer by any state-chartered bank that advertises on the internet in Colorado.” Plaintiffs further alleged that the Act’s opt out “is preempted by DIDMCA and violates the Supremacy Clause of the U.S. Constitution by attempting to expand the federally granted opt-out right to loans not actually ‘made in’ Colorado under federal law,” and “violates the Commerce Clause because it will impede the flow of interstate commerce and subject state-chartered banks to inconsistent obligations across different states.” The Plaintiffs also alleged that Colorado’s stated goal of combatting “predatory, payday-style lending” will not be accomplished through the opt out, as plaintiffs’ members are not payday lenders and offer “a wide variety of useful, familiar, everyday credit products” that “are provided at a range of rate and fee options, which sometimes—to account for credit risk—are above Colorado’s rate and fee caps, but within the rate caps allowed by DIDMCA.” Furthermore, plaintiffs warn that the Act “will prevent Plaintiffs’ members from offering these mainstream products to many Colorado consumers,” while “national banks will still offer these very same loan products to Colorado residents at interest rates in excess of Colorado’s interest-rate and fee caps.” Plaintiffs urged the court to issue a ruling stating that the Act “is void with respect to loans not ‘made in’ Colorado as defined by applicable federal law” and to enjoin Colorado from enforcing or implementing the Act with respect to those loans.

    Courts State Issues Colorado State Attorney General Consumer Protection Consumer Finance Interest Rate DIDMCA

  • CFPB, federal and state agencies to enhance tech capabilities

    Federal Issues

    On March 26, the CFPB announced as a part of a coordinated statement with other federal and state agencies, the intent to enhance its technological capabilities. As part of this initiative, the CFPB will be hiring more technologists to help enforce laws and find remedies for consumers, workers, small businesses, etc. These technologists will join interdisciplinary teams within the CFPB to monitor and address potential violations of consumer rights within the evolving tech landscape, particularly considering the growing attention to generative artificial intelligence (AI). The CFPB's technologists will be tasked with identifying new technological developments, recognizing potential risks, enforcing laws, and developing effective remedies. CFPB Director Rohit Chopra emphasized the essential role of technology in the Bureau’s efforts to regulate data misuse, AI issues, and big tech involvement in financial services. Chopra and Chief Technologist Erie Meyer remarked that the CFPB has integrated technologists into its core functions, with these experts now actively involved in supervisory examinations, enforcement actions, and other regulatory proceedings. They also note that the CFPB has researched how emerging technologies, such as generative AI and near-field communication, are used in consumer finance. To foster a competitive and “law-abiding” marketplace, Chopra and Meyer also note that the CFPB will continue to issue policy guidance to assist firms with understanding legal obligations. 

    Federal Issues CFPB FCC FTC Fintech Consumer Protection

  • Senator Warren invites student loan servicer to testify before Congress

    Federal Issues

    On March 18, Senator Elizabeth Warren (D-MA) sent a letter to a large student loan servicer, inviting its executives to testify at an upcoming hearing hosted by the Banking, Housing, and Urban Affairs Subcommittee on Economic Policy on April 10. The hearing will focus on the servicer’s performance, student loan borrowers’ experience with return to repayment, and the Public Service Loan Forgiveness (PSLF) program. The letter alleged the servicer “mishandl[ed]” borrowers return to repayment after the pandemic by impeding public servants’ access to PSLF relief, among other things. Senator Warren also alleged the servicer failed to perform “basic servicing functions” for PSLF borrowers which led to a backlog of public service workers’ forms eligible towards receiving credit on their student debts. The letter further alleged the servicer implemented a “call deflection scheme” to redirect borrowers' calls from customer service representatives. Testifying would give the servicer the chance to provide context to the allegations, Warren said.

    Federal Issues Congress Testimony Student Loan Servicer Consumer Finance Consumer Protection

  • Utah amends its Consumer Sales Practices Act

    State Issues

    On March 13, the Governor of Utah signed HB 443 (the “Act”), also known as the Utah Consumer Sales Practices Act Amendments, into law. The Act will amend class action lawsuits and will clarify provisions related to “targeted solicitations” involving financial information. According to the Act, “targeted solicitation” will be defined as any written or oral advertisement for a product or service that (i) is addressed to the consumer’s personal account; (ii) contains specific account information (iii) is offered by a supplier that is not sponsored by or affiliated with the financial institution managing a consumer’s personal account; and (iv) is not authorized by the financial institution managing the consumer’s personal account. The Act will go into effect on May 1. 

    State Issues State Legislation Consumer Protection


Upcoming Events