InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS introduces guidelines for coin-listing and delisting policies in virtual currency entities
On November 15, NYDFS announced new regulatory guidance which adopts new requirements for coin-listing and delisting policies of DFS-regulated virtual currency entities, updating its 2020 framework for each policy. After considering public comments, the new guidance aims to enhance standards for self-certification of coins and includes requirements for risk assessment, advance notification, and governance. It emphasizes stricter criteria for approving coins and mandates adherence to safety, soundness, and consumer protection principles. Virtual currency entities must comply with these guidelines, requiring DFS approval for coin-listing policies before self-certifying coins, and submitting detailed records for ongoing compliance review. The guidance also outlines procedures for delisting coins and necessitates virtual currency entities to have an approved coin-delisting policy.
As an example under coin listing policy framework, the letter states that a virtual currency entity risk assessment must be tailored to a virtual currency entity's business activity and can include factors such as (i) technical design and technology risk; (ii) market and liquidity risk; (iii) operational risk; (iv) cybersecurity risk; (v) illicit finance risk; (vi) legal risk; (vii) reputational risk; (viii) regulatory risk; (ix) conflicts of interest; and (x) consumer protection. Regarding consumer protection, NYDFS says that virtual currency entities must “ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.”
Similar to the listing policy framework, the letter provides a fulsome delisting policy framework. The letter also stated that all virtual currency entities must meet with the DFS by December 8 to preview their draft coin-delisting policies and that final policies must be submitted to DFS for approval by January 31, 2024.
CFPB’s Language Access Plan breakdown for consumers with limited English proficiency
On November 15, the CFPB issued a report, titled “The CFPB Language Access Plan for consumers with limited English proficiency,” on expanding consumer needs in the financial marketplace for individuals with limited English proficiency. The CFPB released this report consistent with the mandates under E.O. 13166 to “educate and empower all consumers, provide information and assistance to traditionally underserved consumer and communities, enforce fair lending laws, and promote an equitable workforce for all consumers.”
The CFPB cites that 22 percent of the U.S. population over the age of five speak a language other than English at home. The CFPB commits itself to ensuring that tools, programs, and services are available to those who need language assistance by (i) understanding the needs of the population; (ii) conducting outreach and engagement; (iii) providing products and services in eight different languages other than English; and (iv) promoting fair and equitable access to the financial marketplace.
The CFPB’s report also lists several public enforcement actions involving communicating with consumer with limited English proficiency. The report mainly outlines how well the agency does in addressing the diverse language needs of the U.S. population, including translated disclosures, websites, and outreach and engagement sessions.
District Court grants payday lender's motion to stay CFPB case pending Supreme Court decision
On November 3, the U.S. District Court of Nevada granted a payday lender’s motion to stay a case brought by the CFPB, pending a SCOTUS’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau (see InfoBytes here and here). The CFPB issued a civil investigative demand (CID) in late 2022 to the lender, as part of an investigation into its lending practices. The lender complied with the CID initially, but later requested a stay due to the impending SCOTUS decision regarding the constitutionality of the CFPB’s funding structure, which could impact the CFPB’s enforcement authority. Although the CFPB opposed the stay by arguing that the extensive delay could hinder its ability to investigate the lender, the court granted the lender’s motion, in line with other district courts that have faced similar issues.
President Biden issues Executive Order targeting AI safety
On October 30, President Biden issued an Executive Order (EO) outlining how the federal government can promote artifical intelligence (AI) safety and security to protect US citizens’ rights by: (i) directing AI developers to share critical information and test results with the U.S. government; (ii) developing standards for safe and secure AI systems; (iii) protecting citizens from AI-enabled fraud; (iv) establishing a cybersecurity program; and (v) creating a National Security Memorandum developed by the National Security Council to address AI security.
President Biden also called on Congress to act by passing “bipartisan data privacy legislation” that (i) prioritizes federal support for privacy preservation; (ii) strengthens privacy technologies; (iii) evaluates agencies’ information collection processes for AI risks; and (iv) develops guidelines for federal agencies to evaluate privacy-preserving techniques. The EO additionally encourages agencies to use existing authorities to protect consumers and promote equity. As previously covered by InfoBytes, the FCC recently proposed to use AI to block unwanted robocalls and texts). The order further outlines how the U.S. can continue acting as a leader in AI innovation by catalyzing AI research, promoting a fair and competitive AI ecosystem, and expanding the highly skilled workforce by streamlining visa review.
DFPI orders deceptive debt collectors to desist and refrain, pay penalties
On October 23, DFPI announced enforcement actions against four debt collectors for engaging in unlicensed debt collection activity, in violation of Debt Collection Licensing Act and unfair, deceptive, or abusive acts or practices, in violation of the California Consumer Financial Protection Law. In its order against two entities, the department alleged that the entities contacted at least one California consumer and made deceptive statements in an attempt to collect a payday loan-related debt, among other things. In its third order against another two entities, DFPI alleged that a consumer was not provided the proper disclosures in a proposed settlement agreement to pay off their debts in a one-time payments. Additionally, DFPI alleged that the entity representatives made a false representation by communicating empty threats of an impending lawsuit.
Under their orders (see here, here, and here), the entities must desist and refrain from engaging in illegal and deceptive practices, including (i) failing to identify as debt collectors; (ii) making false and misleading statements about payment requirements; (iii) threatening unlawful action, such as a lawsuit, because of nonpayment of a debt; (iv) contacting the consumer at a forbidden time of day; (iv) making false claims of pending lawsuits or legal process and the character, amount, or legal status of the debt; (v) failing to provide a “validation notice” ; and (vi) threatening to sue on time-barred debt.
The entities are ordered to pay a combined $87,500 in penalties for each of the illegal and deceptive practices.
Utah Court of Appeals affirms ruling for debt buyer engaged in unlicensed collection efforts
The Utah Court of Appeals affirmed a lower court’s ruling against a debt buyer that acquired a portfolio of bad debts from borrowers all over the country, including residents of Utah. The debt buyer collected on the portfolio of debts by retaining third-party debt collectors or, in some instances, attorneys to recover such debts by filing lawsuits. The debt buyer was not licensed under the Utah Collection Agency Act (UCAA). As such, the plaintiffs argued that the debt buyer’s collection efforts were “deceptive” and “unconscionable” under the Utah Consumer Sales Practices Act.
The lower court ruled for the debt buyer on the grounds that failure to obtain a license, without more, did not rise to the level of “deceptive” or “unconscionable” conduct. Further, the UCAA does not have a private right of action.
Utah recently repealed the collection agency’s license, effective May 3, 2023 (covered by InfoBytes here).
FCC’s proposes inquiry on AI’s role in unwanted robocalls and texts
On October 20, FCC Chairwoman Rosenworcel announced a proposed inquiry for how artificial intelligence could impact unwanted robocalls and texts. If adopted during the Commission’s forthcoming public open meeting on November 15, 2023, this proposal will initiate an examination of how the use of AI technologies could impact regulation under the Telephone Consumer Protection Act (TCPA). Specifically, the inquiry would seek public comment on (i) how AI technology fits into the commission’s duties outlined in the TCPA; (ii) the circumstances under which future AI technology would fall under TCPA; (iii) the influence of AI on existing regulatory structures and the development of future policies; (iv) whether the commission should explore methods of verifying the legitimacy of AI-generated voice or text content from reliable sources; and (v) next steps.
CFPB announces civil money penalty against nonbank, alleges EFTA and CFPA violations
On October 17, the CFPB announced an enforcement action against a nonbank international money transfer provider for alleged deceptive practices and illegal consumer waivers. According to the consent order, the company facilitated remittance transfers through its app that required consumers to sign a “remittance services agreement,” which included a clause protecting the company from liability for negligence over $1,000. The Bureau alleged that such waiver violated the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E, including Subpart B, known as the Remittance Transfer Rule, by (i) requiring consumers sign an improper limited liability clause to waive their rights; (ii) failing to provide contact and cancellation information in disclosures, and other required terms; (iii) failing to provide a timely receipt when payment is made for a transfer; (iv) failing to develop and maintain required policies and procedures for error resolution; (v) failing to investigate and determine whether an error occurred, possibly preventing consumers from receiving refunds or other remedies they were entitled to; and (vi) failing to accurately disclose exchange rates and the date of fund availability. The CFPB further alleged that the company’s representations regarding the speed (“instantly” or “within seconds”) and cost (“with no fees”) of its remittance transfers to consumers were inaccurate and constituted violations of CFPA. The order requires the company to pay a $1.5 million civil money penalty and provide an additional $1.5 in consumer redress. The company must also take measures to ensure future compliance.
CFPB proposes rule to accelerate a shift toward open banking
On October 19, the CFPB announced a proposed rule that it said would accelerate a shift toward open banking, would give consumers more control over their financial data, and would offer new protections against companies misusing consumer data. The proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago, Section 1033 of the Consumer Financial Protection Act. According to the CFPB, the rule would “jumpstart competition” by prohibiting financial institutions from “hoarding” a person’s data and requiring companies to share data with other companies at the consumer’s direction about their use of checking and prepaid accounts, credit cards, and digital wallets. This would allow consumers to access competing products and services while ensuring that their data would be used only for their own preferred purpose. Among other things, the proposed rule would ensure that consumers: (i) can obtain their personal financial data at no cost; (ii) have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts; and (iii) can walk away from bad service. Comments on the proposed rule must be received on or before December 29, 2023.
California enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.