Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 24, the U.S. District Court for the Central District of California dismissed, with prejudice, a putative class action alleging that a nonbank lender prioritized high-dollar Paycheck Protection Program (PPP) loan applicants. The plaintiff’s complaint—which alleged claims of fraudulent concealment, fraudulent deceit, unfair business practices, and false advertising—claimed, among other things, that the lender (i) was not licensed to make loans in California when she applied; (ii) did not have adequate funding to make the loans; and (iii) advertised it would process loan requests on a first-come, first-served basis, but actually prioritized favored customers and higher-value loans that yielded higher lending fees. The court granted the lender’s motion to dismiss. According to the court, the plaintiff’s allegation that the parties were “transacting business in order to enter into a contractual, borrower-lender relationship” was not supported by any facts, and that while the plaintiff claimed she submitted a PPP loan application to the lender, a confirmation e-mail from the lender did not mention a submitted application—only a loan request. “This court cannot, therefore, assume the truth of Plaintiff’s allegation that she submitted a loan application, let alone her conclusory allegation that the parties entered into a borrower-lender relationship or engaged in any other transaction,” the court stated. The court also determined that the plaintiff’s fraudulent deceit claim failed because her allegation, made on information and belief, that the lender prioritized large loans had no factual foundation, and the plaintiff failed to plead the elements of that claim.
On November 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $58 million settlement in a class action against a fintech company (defendant) alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. The plaintiffs alleged the defendant obtained data from class members’ financial accounts without authorization. The plaintiffs also claimed the defendant collected class members’ bank login information through a user interface that made it appear as if class members were interfacing directly with their financial institution, when they were actually interfacing with the defendant.
In granting preliminary approval of the settlement, the court determined it was unclear whether the plaintiffs would have prevailed on the merits at trial, particularly with regard to the “relatively untested” claim that the defendant practices breached California’s anti-phishing law. Several other claims originally brought by the plaintiffs were dismissed in May, including allegations that the defendant breached the Stored Communications Act, the Computer Fraud and Abuse Act, and California’s Unfair Competition Law. In addition to the $58 million settlement fund, the proposed settlement would also provide for injunctive relief.
On November 15, the California Department of Financial Protection and Innovation (DFPI) issued a second draft of proposed regulations under the Debt Collection Licensing Act (the Act). As previously covered by InfoBytes, California enacted the Act in 2020 to require a person engaging in the business of debt collecting in the state, as defined by the Act, to be licensed. The Act also provides for the regulation and oversight of debt collectors by DFPI. In April 2021, DFPI issued a notice of proposed rulemaking (NPRM) and proposed regulations to adopt new requirements for debt collectors seeking to obtain a license to operate in the state, and issued a notice of modifications to the NPRM in June to incorporate changes to its debt collection license requirements and application. (Covered by InfoBytes here and here.) Among other things, the proposed modifications:
- Amend the definition of “branch office” to include any location other than an applicant’s or licensee’s principal place of business “if activity related to debt collection occurs at the location and the location is held out to the public as a business location or money is received at the location or held at the location.” The definition of “holding a location out to the public” includes receiving postal correspondence, meeting with the public, including the location on correspondence, letterhead, or business cards, and including signage at the location, or making any other representation that the location is a business location.
- Amend the definition of “debt collector” to align with the Act, which defines “debt collector” as “any person who, in the ordinary course of business, regularly, on the person’s own behalf or on behalf of others, engages in debt collection. The term includes any person who composes and sells, or offers to compose and sell, forms, letters and other collection media used or intended to be used for debt collection. The term ‘debt collector’ includes ‘debt buyer’ as defined in Section 1788.50 of the Civil Code.”
Comments on the second draft of modifications must be received by December 2.
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May order issued by the court, which granted in part and denied in part defendant’s motion to dismiss plaintiff’s first amended complaint, the plaintiff alleged that the defendant failed to disclose it was (i) monitoring and collecting Android smartphone users’ sensitive personal data while users interacted with apps not owned by the defendant; or (ii) generally collecting “sensitive personal data to obtain an unfair economic advantage.” While the court dismissed the plaintiff’s California Invasion of Privacy Act claims, it allowed claims brought under the California Consumers Legal Remedies Act (which “prohibits ‘unfair methods of competition and unfair or deceptive acts or practices’”) to proceed based on the reasoning that if the defendant had disclosed these material facts, the plaintiff would have acted differently.
The defendant moved to compel arbitration, claiming the plaintiff was using a smartphone that was bound by an arbitration provision. The plaintiff countered in both the complaint and first amended complaint, as well as in his initial disclosures, that the phone he originally purchased was never subject to an arbitration agreement. However, the court noted that account information later showed that the smartphone used by the plaintiff at the time he filed suit, as well as the smartphone he later switched to, both came with individual arbitration provisions and class waivers, subject to user opt out. The court stated that the plaintiff did not opt out of arbitration for either smartphone, and further denied the plaintiff’s motion for leave to file a second amended complaint, dismissing the action without prejudice.
Recently, the California Department of Financial Protection and Innovation (DFPI) reminded companies licensed under the California Financing Law that they must transition onto the Nationwide Multistate Licensing System & Registry (NMLS) by December 31. Licensees not currently on the NMLS must establish an account in the system and transfer information to DFPI through NMLS on or before the deadline. Applicants and transitioning licensees are required to submit IRS and Secretary of State documentation identifying the employer identification number and the state where the company is registered as a business. DFPI further stated that the time for “DFPI to process the licensee’s NMLS transition does not [affect] the licensure status of the licensee, and may occur after the licensee’s December 31, 2021 deadline to submit the licensee’s information to the DFPI through NMLS.”
Recently, the California Department of Financial Protection and Innovation (DFPI) released several new opinion letters covering aspects of the California Money Transmission Act (MTA) related to virtual currency and agent of payee rules. Highlights from the redacted letters include:
- Cryptocurrency and Agent of Payee Exemption. The redacted opinion letter reviewed whether MTA licensure is required for a company’s proposal to offer payment processing services that would enable merchants to receive payments in U.S. dollars from buyers of goods and services, automatically exchange these payments into dollar-denominated tokens on a blockchain network, and to store the tokens in a custodial digital wallet. DFPI currently does not require licensure for companies to receive U.S. dollars from a buyer for transfer to a merchant’s wallet as dollar tokens. DFPI explained that even if it did regulate this activity, the structure of the company’s payment processing services satisfies the requirements of the agent-of-payee exemption, wherein the company acts as the agent of the merchant pursuant to a preexisting written contract and the company’s receipt of payment satisfies the buyer’s obligation to the merchant for goods or services. DFPI further explained that while storing dollar tokens in a custodial digital wallet or making subsequent transfers out of a wallet do not currently require licensure under the MTA, DFPI may later determine the activities are subject to regulatory supervision.
- Asset-Backed Tokens and Other Cryptocurrency. The redacted opinion letter asked DFPI whether an MTA license is required to (i) provide technical services to enable owners of metal to create digital assets representing interests in that metal; (ii) facilitate trading in these digital assets; or (iii) provide digital wallets to customers. The company intends to create a platform to facilitate the creation, sale, and trading of metal asset-backed tokens, whereby a customer purchases metal asset-backed tokens (ABTs) or currency tokens using fiat currency stored in an FBO account. Customers will not be allowed to transmit fiat currency to each other except to facilitate the purchase of ABTs or currency tokens, to receive proceeds from ABTs, or to pay platform fees. DFPI explained that while issuing stored value is generally considered money transmission, “[p]roviding technical services to assist in the creation of a [m]etal ABT and [i]ndustrial [t]okens and issuing a digital wallet holding the [m]etal ABT does not require licensure.” DFPI noted that the company is not itself issuing the ABT or industrial tokens. DFPI further concluded that the company does not need an MTA license to issue a digital wallet holding metal ATBs because the digital wallet is not stored value nor can the wallet’s contents be redeemed for money or monetary value or be used as payment for goods or services. DFPI separately indicated that a license is not currently required to facilitate the sale of ABTs, nor the issuance and sale of currency tokens. However, DFPI warned the company that the opinion only pertains to MTA, and that the company should be aware that metal ABTs and industrial tokens “could be considered a commodity and California Corporations Code section 29520 generally prohibits the sale of a commodity, unless an exception applies.”
- Cryptocurrency-to-Precious Metals Dealer. The redacted opinion letter reviewed whether an online cryptocurrency-to-precious metals dealer, which accepts a variety of different cryptocurrencies in exchange for precious metals and also purchases precious metals from customers using different cryptocurrencies, requires MTA licensure. The company referenced a 2016 decision where DFPI determined that a company operating a software technology platform to facilitate the purchase and sale of gold was not engaged in money transmission, that gold and other precious metals were not payment instruments, that the transactions did not represent selling or issuing stored value, and that “the activity did not constitute receiving money for transmission because the sale or repurchase of gold was a bargained-for-exchange and did not involve transmission to a third party.” The company argued that purchasing and selling precious metals with cryptocurrency is similar and should not trigger MTA’s licensing requirement. DFPI agreed that the company’s business activities do not meet the definition of money transmission because precious metals are not payment instruments, and as such, purchasing and selling precious metals for cryptocurrency does not represent the sale or issuance of a payment instrument. Additionally, DFPI concluded that the company is not selling or issuing stored value, nor do the transactions “involve the receipt of money or monetary value for transmission within or outside the U.S.”
- Virtual Currency Wallet. The redacted opinion letter asked whether an MTA license is required to operate a platform that will provide customers with an account to store and transfer virtual currencies. The company will also provide customers access to an exchange where they can facilitate the purchase or sale of virtual currencies in exchange for other virtual currencies. Fiat currency will not be used on the platform. DFPI stated that it does not currently require companies to obtain an MTA license to operate a platform that provides customers with an account to store and transfer virtual currencies. DFPI further stated that a license is not required to operate a platform that gives customers access to an exchange to purchase or sell virtual currencies in exchange for other virtual currencies.
- Purchase of Cryptocurrency. The redacted opinion letter examined whether a company that offers clients a direct opportunity to buy cryptocurrency in exchange for fiat currency requires MTA licensure. The company explained, among other things, that there is no transmission of cryptocurrency to third parties and that it does not offer money transmission services. DFPI concluded that because the company’s activities are limited to directly selling cryptocurrency to clients, it “does not require an MTA license because it does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.”
DFPI reminded the companies that its determinations are limited to the presented facts and circumstances and that any change could lead to different conclusions. Moreover, the letters do not relieve the companies from any FinCEN or federal regulatory obligations.
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice of motion and motion for preliminary approval of class action settlement, a software vendor notified its clients, including the grocery store, that its software had been breached. As a result of the breach, hackers accessed personally identifiable information (PII) of approximately 3.82 million of the grocery store’s pharmacy customers and employees. Under the preliminary settlement, claimants may choose to receive either (i) a cash payment, with an estimated value between $18 and $91 for non-California residents and between $36 and $182 for California residents; (ii) two years of credit monitoring and insurance services; or (iii) reimbursement of any documented losses of up to $5,000. The proposed settlement also contains “robust injunctive relief,” including requirements that the grocery store chain (i) confirm that class members’ sensitive PII is secured; (ii) monitor the dark web for five years for fraudulent activity related to class members' PII; and (iii) enhance its third-party vendor risk management program. The district court also noted that any class member can appear at the fairness hearing to object to any aspect of the settlement, and that class members have 75 days after being notified of the deal to file their written objections or opt out of the settlement. The proposed settlement would not resolve any claims against the software vendor. Additionally, the court issued an order denying a motion to intervene by a group of objectors finding that they failed to “identify a protectable interest that will be impaired if they are unable to intervene.”
On November 5, the California Department of Financial Protection and Innovation (DFPI) issued a fourth draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. California released the first draft of the proposed regulations in July 2019, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released second and third rounds of modifications in August and October of this year (covered by InfoBytes here, here, here, and here). The fourth modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications amend the term “average monthly cost” to mean the average total amount paid by the recipient (for periodic and irregular payments) over a contract’s term divided by the number of months specified in the contract. Providers may divide the number of days in the contract term by 30.4 to determine the number of months in the contract term. This calculation may also be used to determine the “estimated monthly cost.” Comments on the fourth modifications must be received by November 22.
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.
- Sherry-Maria Safchuk to discuss “Hot topics outside of CA” at the California Mortgage Bankers Association Conference
- Jon David D. Langlois to discuss “LIBOR Transition: How will the pieces come together in time?” at the American Bar Association In the Know-Live webinar
- Dissecting the annual federal agency fair lending summit
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek