Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court approves $1.75 million data breach settlement
On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. According to class members, by failing to adequately safeguard users’ login credentials and by failing to timely notify individuals of the breach, the company violated, among other things, California’s unfair competition law, the California Customer Records Act, and the California Consumer Privacy Act.
Under the terms of the settlement, the company is required to pay a non-reversionary settlement amount of $1.75 million, which will be used to compensate class members and pay for attorney fees and costs, service awards, and administrative expenses. Additionally, as outlined in the motion for preliminary approval of the class action settlement, class members are eligible to submit claims for “ordinary losses” (capped at $1,000 per person), as well as “extraordinary losses” (capped at $10,000 per person). Ordinary losses include expenses such as bank fees, long distance phone charges, certain cell phone charges, postage, gasoline for local travel, “[f]ees for additional credit reports, credit monitoring, or other identity theft insurance products,” and up to 40 hours of time, at $25/hour, for at least one full hour used to deal with the data breach. Extraordinary losses are described as those “arising from financial fraud or identity theft” where the “loss is an actual, documented, and unreimbursed monetary loss” and is “fairly traceable to the data breach” and not already covered by another reimbursement category. Class members must also show that they made “reasonable efforts to avoid, or seek reimbursement for, the loss.” All class members will be offered 12 months of credit monitoring and identity theft protection at no cost, and the company will implement “information security enhancements” to prevent future occurrences.
Biden administration urges states to join fee crack down
On March 8, the Biden administration convened a gathering of state legislative leaders to hold discussions about so-called “junk fees”—described as the “unnecessary, unavoidable, or surprise charges” that obscure true prices and are often not disclosed upfront. While the announcement acknowledged actions taken by federal agencies over the past few years to crack down on these fees, the administration recognized the role states play in advancing this effort. The Guide for States: Cracking Down on Junk Fees to Lower Costs for Consumers outlined actions states can take to address these fees, and provided several examples of alleged junk fees, including hotel resort fees, debt settlement fees, event ticketing fees, rental car and car purchase fees, and cable and internet fees. The guide also highlighted “the banking industry’s excessive and unfair reliance on banking junk fees.” The administration pointed out that a number of businesses have changed their policies in response to the increased scrutiny of junk fees and said several banks have ended fees for overdraft protection. The same day, the CFPB released a new Supervisory Highlights, which focused on junk fees uncovered in deposit accounts and the auto, mortgage, student, and payday loan servicing markets (covered by InfoBytes here).
Additionally, HUD Secretary Marcia L. Fudge published an open letter to the housing industry and state and local governments, encouraging them to “limit and better disclose fees charged to renters in advance of and during tenancy.” Fudge noted that “actions should aim to promote fairness and transparency for renters while ensuring that fees charged to renters reflect the actual and legitimate costs to housing providers.”
California Attorney General Rob Bonta also issued a statement responding to the administration’s call to end junk fees. “Transparency and full disclosure in pricing are crucial for fair competition and consumer protection,” Bonta said, explaining that in February the state senate introduced legislation (see SB 478) to prohibit the practice of hiding mandatory fees.
DFPI issues more proposed changes to Student Loan Servicing Act
On March 6, the California Department of Financial Protection and Innovation (DFPI) issued a notice of second modifications to proposed regulations under the Student Loan Servicing Act (Act), which provides for the licensure, regulation, and oversight of student loan servicers by DFPI (covered by InfoBytes here). Last September, DFPI issued proposed rules to clarify, among other things, that income share agreements (ISAs) and installment contracts, which use terminology and documentation distinct from traditional loans, serve the same purpose as traditional loans (i.e., “help pay the cost of a student’s higher education”), and are therefore student loans subject to the Act. As such, servicers of these products must be licensed and comply with all applicable laws, DFPI said. (Covered by InfoBytes here.) In January, DFPI issued modified proposed regulations, outlining additional changes to definitions, time zone requirements, borrower protections, and examinations, books, and records requirements. (Covered by InfoBytes here.)
Following its consideration of public comments on the modified proposed regulations, DFPI is proposing the following additional changes:
- Amendments to definitions. Among other changes, the proposed changes amend “education financing products” to include private student loans which are not traditional loans. This change reverts the definition back to the word used in the original proposed rules. DFPI explained that this change “is necessary because the term ‘private student loan’ is defined later in the rules . . . but the term ‘private education loan’ is not separately defined.” The proposed changes also clarify “that the payment cap, which is the maximum amount payable under an income share agreement, may be expressed as an APR or an amount or a multiple of the amount advanced, covered, credited, deferred, or funded, excluding charges related to default.” Additionally, the changes revise the definition of “qualifying payment” to explain that “qualifying payments count toward maximum payments and the payment cap but not also the payment term.”
- Borrower protections. The first round of changes revised the time zone in which a payment must be received to be considered on-time to Pacific Time, in order to protect California borrowers. However, in further modifying the timing requirement, DFPI explained in its notice that “[r]equiring cut off times different than those posted on the servicer’s website just for California borrowers would deviate from standard current practices, would require system changes and enhancements that would be very expensive to implement and could cause confusion and operational risk to both servicers and borrowers. Limiting the exception to only those situations where the servicer has not posted the cut off time aligns with servicers’ operational capabilities and national banking standards.”
- Qualified written requests. The proposed changes clarify requirements for sending acknowledgments of receipt and responses to qualified written requests.
The second modifications also clarify provisions related to education financing servicing report requirements, and provide that upon notice, a student loan servicer must make available for inspection its books, records, and accounts at a licensed location designated by the DFPI or electronically.
Comments on the second modifications are due March 23.
9th Circuit concludes district attorneys can sue national banks in state court
On February 27, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision to abstain from enjoining a state action brought by a California county district attorney (DA) against a national bank, concluding that the enforcement action was not an exercise of “visitorial powers.” According to the opinion, the DA launched an investigation into the bank’s vendor and issued the bank an investigative subpoena seeking records of its banking activities. The bank objected, claiming the request “improperly infringes on the exclusive visitorial powers of the [OCC]” because it sought to inspect the bank’s books and records. The bank subsequently filed a complaint in the U.S. District Court for the Central District of California asking the court to enjoin the state action and requesting injunctive relief to prevent the DA from taking any action to enforce federal and state lending, debt collection, and consumer laws against the bank, or from exercising visitorial powers in violation of the National Bank Act (NBA). The DA withdrew his investigative subpoena and moved to dismiss for lack of subject matter jurisdiction on the ground that the case was now moot. The motion to dismiss was denied on the premise that the DA had not demonstrated that a “renewed investigative subpoena against [the bank] ‘could not be reasonably be expected.’”
The DA then filed a complaint in state court claiming the bank violated California law by hiring a third-party vendor to place “extensive harassing” debt collection phone calls to residents in the state. The complaint alleged violations of California’s Unfair Competition Law, the Rosenthal Fair Debt Collections Practices Act, and the right to privacy under the California Constitution. In federal court, the bank moved for summary judgment, arguing that the state action was an improper exercise of visitorial powers. The district court, however, ruled that the Younger v. Harris abstention (in which a federal court refrains from staying or enjoining pending state criminal prosecutions absent extraordinary circumstances or state civil enforcement actions when certain conditions are met) applied. The bank appealed.
The 9th Circuit considered two questions: (i) whether the Younger abstention was correctly applied, and (ii) whether the DA’s state court action “was an impermissible exercise of visitorial powers vested exclusively with the OCC.” The 9th Circuit held that the district court was correct in applying the Younger abstention doctrine because (i) “the state action qualified as an ‘ongoing’ judicial proceeding because no proceedings of substance on the merits had taken place in the federal action”; (ii) the state court action implicated an important state interest in consumer protection and nothing in federal law bars a DA from suing a national bank; (iii) the bank had the option to raise a federal defense under the NBA in the state court action; and (iv) the injunction the bank requested in the federal action would interfere with the state court proceeding. The 9th Circuit also rejected the bank’s arguments that the state action constituted an illegal exercise of visitorial powers that only belongs to the OCC or state attorneys general. The 9th Circuit cited the U.S. Supreme Court’s decision in Cuomo v. Clearing House Ass’n, L.L.C., in which the high court “held that bringing a civil lawsuit to enforce a non-preempted state law is not an exercise of visitorial powers,” and that “a sovereign’s ‘visitorial powers’ and its power to enforce the law are two different things.” Relying on the Cuomo holding, the 9th Circuit found that accepting the bank’s position “would mean that actions brought against national banks by federal or state agencies or, for that matter, individuals would be forbidden as unlawful exercises of visitorial powers.” “Such a result is wrong. It contradicts established law and is unsupported by any legal authority cited by [the bank]” and would additionally “raise serious anti-commandeering concerns under the Tenth Amendment.”
DFPI settles with student loan debt relief company
On February 28, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with an unlicensed student debt relief company and its owner. The announcement is part of the DFPI’s continued crackdown on student loan debt relief companies found to have violated the California Consumer Financial Protection Law (CCFPL), the Student Loan Servicing Act (SLSA), and the Telemarketing Sales Rule (TSR). According to the settlement, a DFPI inquiry into the company’s practices found that since at least 2018, the company placed unsolicited phone calls to consumers advertising its student loan forgiveness and modification services. The company allegedly gave borrowers the impression that it was a part of, or affiliated with, an official government agency, and would act “as an intermediary between borrowers and the borrowers’ lenders or loan servicers with the goal of helping those consumers lower or eliminate their student loan debts.” The DFPI found that since 2018 at least 790 California consumers enrolled in the company’s debt relief program, whereby the company collected at least $713,000 through up-front servicing fees ranging from $116 to $2,449 from California consumers. By allegedly engaging in unlicensed student loan servicing activities, engaging in unlawful, unfair, deceptive, or abusive acts or practices with respect to consumer financial products or services, and by charging advance fees for debt relief services, the DFPI claimed the company violated the SLSA, CCFPL, and TSR.
Under the terms of the consent order, the company and owner must desist and refrain from engaging in the alleged conduct, rescind all debt relief, debt management, or debt consulting service agreements, and issue refunds to California consumers. The owner is also ordered to “desist and refrain from owning, managing, operating, or controlling any entity that services student loans, or which offers or provides any consumer financial products or services as defined by the CCFPL, unless and until he or the entity has the applicable approvals from the DFPI and is in compliance with the SLSA, CCFPL, TSR, and the Federal Trade Commission Act.”
DFPI modifies CCFPL proposal
On February 24, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last June to implement sections 22159, 22800, 22804, 90005, 90009, 90012, and 90015 of the CCFPL related to the offering and provision of commercial financing and other financial products and services to small businesses, nonprofits, and family farms. According to DFPI, section 22800 subdivision (d) authorizes the Department to define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing. Section 90009, subdivision (e), among other things, authorizes the Department’s rulemaking to include data collection and reporting on the provision of commercial financing or other financial products and services.
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed modification defines a “commercial financing transaction” to mean “a consummated commercial financing transaction for which a disclosure is provided in accordance with California Code of Regulations, title 10, section 920, subdivision (a).” The modifications to the definitions also amend a “covered provider” to exclude “any person exempted from division 24 of the Financial Code under Financial Code section 90002,” and defines a “small business” to be “a business entity organized for profit with annual gross receipts of no more than $16,000,000 or the annual gross receipt level as biennially adjusted by the Department of General Services in accordance with Government Code section 14837, subdivision (d)(3), whichever is greater.” In determining a business entity’s annual gross receipts, the proposed modifications state that covered providers “may rely on any relevant written representation by the business entity, including information provided in any application or agreement for commercial financing or other financial product or service.”
- UDAAP. In addition to making several technical changes, the proposed modifications clarify that “[i]t is unlawful for a covered provider to engage or have engaged in any unfair, deceptive, or abusive act or practice in connection with the offering or provision of commercial financing or another financial product or service to a covered entity.” The changes remove text that would have made it unlawful should a covered provider “propose to engage” in any if these practices.
- Annual reporting requirements. The proposed modifications specify that covered providers who offer commercial financing will be required to electronically file reports to the DFPI on or before March 15 of each year starting in 2025. The proposed changes to the reporting requirements also clarify certain terms, address when covered providers are not required to calculate or report certain information, and stipulate that covered providers “licensed under division 9 (commencing with section 22000) of the Financial Code shall not include in the report required under this section information for activity conducted under the authority of that license.”
Comments on the proposed modifications are due March 15.
DFPI launches crypto scam tracker
On February 16, the California Department of Financial Protection and Innovation (DFPI) launched a database to help consumers in the state spot and avoid crypto scams. The Crypto Scam Tracker compiles details about apparent crypto scams identified through a review of public complaints submitted to the DFPI, and is searchable by company name, scam type, or keywords. “Through the new Crypto Scam Tracker, combined with rigorous enforcement efforts, the DFPI is committed to shining a light on these ruthless predators and protecting consumers and investors,” DFPI Commissioner Clothilde Hewlett said in the announcement.
California Dept. of Real Estate reminds licensees of fiduciary duty requirements
The California Department of Real Estate (DRE) recently reminded real estate licensees with a mortgage loan origination (MLO) endorsement of their fiduciary duty to borrowers. DRE licensees (including brokers, salespersons, and broker-associates supervised by a broker) who provide mortgage brokerage services to a borrower act as a fiduciary of that borrower, the DRE said, explaining that this “includes placing the economic interest of the borrower ahead of their own.” The Bulletin noted that California courts have held that the fiduciary relationship not only requires the broker to act in the highest good faith toward their client but also prohibits the broker from obtaining any advantage over the client by virtue of the fiduciary relationship. Licensees who violate their fiduciary duties may face DRE-disciplinary action against their real estate license and/or MLO endorsement and may also expose themselves to civil liability.
Licensees are reminded that they are required to be aware of all laws, regulations, and rules governing their activities, including the federal Loan Originator Compensation (LO Comp) Rule, which “prohibits loan originators, including brokers, from receiving compensation based on the terms of consumer mortgage transactions.” Prior to the LO Comp Rule, mortgage brokers often received commissions that varied based on the terms of the mortgage loans they obtained for their clients, and in many cases received larger commissions on loans carrying less advantageous terms (e.g., loans with a higher interest rate would result in a larger commission than the same loan with a lower interest rate). The LO Comp Rule now prohibits this practice.
The Bulletin also reminded licensees that receiving greater compensation for acting against the economic interests of a consumer would also violate a broker’s fiduciary responsibility to place the economic interest of their client ahead of their own, should the decision be motivated by a financial desire to increase compensation. Further, licensees may not steer or direct a borrower to close a loan with a particular lender in exchange for receiving a higher commission unless the transaction is the best loan for the borrower. Licensees must also disclose to a borrower the costs and expenses associated with the loan, and disclose all compensation received in the transaction. Taking any secret or undisclosed compensation, commission, or profit is also prohibited, the Bulletin said.
California’s privacy agency finalizes CPRA regulations
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).
According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.
Separately, on January 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.
DFPI takes action against five debt collectors
On January 30, the California Department of Financial Protection and Innovation (DFPI) announced enforcement actions against five separate debt collectors for unlicensed activity under the Debt Collection Licensing Act (DCLA) and unlawful and deceptive acts or practices in violation of the California Consumer Financial Protection Law (CCFPL). According to DFPI, the desist and refrain orders allege that the subjects engaged in a variety of different unlawful and deceptive practices, including, among other things: (i) engaging in debt collection in California without a license from the DFPI; (ii) attempting to collect a debt that a consumer did not owe; (iii) making unlawful threats to sue on debts; (iv) making false claims of pending lawsuits; and (v) failing to notify consumers of their right to request validation of debts. According to DFPI Commissioner Clothilde Hewlett, the agency has observed “an increase in fake debt collector scams in recent months,” and is “committed to rigorous, ongoing enforcement efforts to protect Californians from these deceitful practices.” The combined actions resulted in penalties totaling $120,000 and ordered the debt collectors to desist and refrain from violating the DCLA and CCFPL.