Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California requires consumer credit contract notices to be provided in multiple languages

    State Issues

    On August 15, the California governor signed SB 633, which expands the obligation of creditors who obtain more than one person’s signature on a consumer credit contract when providing cosigners a notice regarding their obligation if the borrower does not pay the debt. Under existing law, these notices had to be provided in English and in Spanish. A creditor who provides a consumer a contract in a foreign language will now have to provide the cosigner notice in the language in which the contract is written. In addition to expanding the languages the notice must be provided in, the required cosigner notice must be provided even if the individuals are married to each other. SB 633 also requires the California Department of Financial Protection and Innovation to provide translations of these notices on its website by January 1, 2023, along with any translations of languages later added to state law. Additionally, notice must be provided only on a separate sheet preceding the contract.

    State Issues State Legislation California Consumer Finance DFPI

  • DFPI enters into settlement with unlicensed point-of-sale lender

    State Issues

    On August 3, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a Florida-based point-of-sale lender for allegedly engaging in the business of finance lending in California without obtaining a license. According to the settlement, after conducting an inquiry, DFPI determined that the company violated California Financial Code section 22100(a) “by making loans through the operation of buy now, pay later’ point-of-sale products” without obtaining a proper license. The company voluntarily agreed to the consent order, and, among other things: (i) agreed to desist and refrain from engaging in the business of a finance lender or broker in California unless/until it obtains a California Financing Law (CFL) license authorizing the company to conduct business as a finance lender or broker; (ii) must pay an administrative penalty of $2,500; and (iii) refund fees totaling $13,065. The company also agreed that it will only make loans, deferred payment products, and extensions of credit to California residents under the authority of a CFL license and in compliance with the statute.

    State Issues Licensing DFPI State Regulators California Financing Law Enforcement California Buy Now Pay Later

  • California Privacy Protection Agency opposes federal privacy bill

    Privacy, Cyber Risk & Data Security

    On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”

    Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.

    Privacy, Cyber Risk & Data Security State Issues Federal Issues Federal Legislation Consumer Protection CPPA California American Data Privacy and Protection Act

  • Court grants final approval of privacy class action settlement

    Courts

    On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. As previously covered by InfoBytes, the district court granted preliminary approval of the $58 million settlement in November. In granting final approval of the settlement, the court determined it was adequate, and noted that the plaintiffs’ claim that the defendant’s practices breached California’s anti-phishing law was “relatively untested.” In addition to the $58 million settlement fund, the settlement provides for injunctive relief.

    Courts California Class Action Settlement Data Collection / Aggregation Privacy, Cyber Risk & Data Security

  • DFPI issues annual reports on 2021 mortgage, payday loan trends

    State Issues

    Recently, the California Department of Financial Protection and Innovation (DFPI) issued two reports: Annual Report of Activity Under the California Residential Mortgage Lending Act and the Annual Report Of Payday Lending Activity Under The California Deferred Deposit Transaction Law. The DFPI’s first report noted decreases in the number and cumulative amounts of loan originations and payday loans in 2021 compared to 2020. Additionally, it found that the number of loans originated by licensees decreased from 1,130,230 in 2020 to 1,018,286 in 2021. The report also found that the number of brokered loans increased from 17,715 in 2020 to 18,508 in 2021. In addition, the report found that licensees’ complaints regarding non-traditional mortgage loans increased from 13,421 in 2020 to 17,404 in 2021.

    In its second report, the DFPI noted that the Covid-19 pandemic “likely played a role” in the decrease in payday lending in the state. The number of individuals taking out payday loans also fell from 1.128 million in 2020 to 790,143 in 2021. Other highlights of the reports include, among other things, that: (i) the number of payday loan customers referred by lead generators rose from 98,555 in 2020 to 109,486 in 2021; (ii) approximately 20 percent of licensees made payday loans over the Internet during 2021, with online payday loans accounting for about 45.2 percent (2,047,889) of all payday loans; and (iii) approximately 416,000 payday loan customers, or about 53 percent of the total, obtained their loans online.

    State Issues California Payday Lending DFPI

  • DFPI issues proposal on debt collection licensing

    On July 15, the California Department of Financial Protection and Innovation (DFPI) issued an invitation for comments on draft text for a proposed second rulemaking (NPRM) related to the scope, annual report, and document retention requirements under the Debt Collection Licensing Act (the Act). As previously covered by InfoBytes, in 2020, California passed and adopted the Act, which requires a person engaging in the business of debt collection in California to be licensed and provides for the regulation and oversight of debt collectors by DFPI. Previously, DFPI issued an NPRM (which was later amended) to adopt new debt collector licensing requirements by regulation (covered by InfoBytes here).

    The newest NPRM follows an August 2021 initial request for comments on anticipated rulemaking related to the scope, annual report, and bond amount increase provisions of the Act (covered by InfoBytes here). The NPRM seeks input from stakeholders on topics related to:

    • Definitions and terms. Amendments and expansions to certain defined terms, including “employee,” “engage in the business of debt collection,” and “net proceeds generated by California debtor accounts.”
    • Exemptions. Under the NPRM, employees of debt collectors will not be required to be licensed under the Act “when acting within the scope of their employment” with a licensed debt collector. Additionally, the Act’s listed exemptions apply only to the underlying applicant or licensee—the exemption is not applicable to parent entities, subsidiaries, or to affiliates. The NPRM further provides that creditors collecting consumer debts in their own names are not considered to be debt collectors for licensing purposes, unless they meet certain criteria. The NPRM also lists other exemptions for persons solely servicing non-defaulted debts on behalf of an original creditor, healthcare providers, local, state, or federal government bodies, or public utilities acting under the supervision of the California Public Utilities Commission.
    • Consumer credit transactions. The NPRM specifies that the following types of debt are not considered “consumer debt” to be regulated under the Act: most residential rental debt, debt owed to an HOA or other equivalent written agreement, deferred debt from a consumer’s acquisition of healthcare or medical services, and failed personal checks.
    • Annual reports. The NPRM’s reporting requirements state, with respect to annual reporting requirements, that the “total number of California debtor accounts should be counted by transaction, not by debtor” (i.e., should a single debtor have multiple accounts, each account should be counted separately). The NPRM also outlines criteria for reporting the total number of accounts and dollar amounts.
    • Record retention. With respect to document retention, licensees will be obliged to follow specific criteria for preserving the records “of any contact with, or attempt to contact, anyone associated with a debtor account, regardless of who initiated the contact and whether the attempt at contact is successful.” Licensees will be required to retain this information, as well as additional documents, for at least seven years after the account is settled, returned to the creditor, sold, or collection attempts have stopped.

    Comments to the NPRM are due August 29.

    Licensing State Issues State Regulators DFPI California Debt Collection

  • California’s privacy agency initiates formal CPRA rulemaking

    Privacy, Cyber Risk & Data Security

    On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during a February meeting that the rulemaking process will extend into the second half of the year.

    The July proposed regulations modify definitions in the CCPA regulations; outline restrictions on the collection and use of personal information; provide disclosure and communications requirements; describe requirements for submitting CCPA requests and obtaining consumer consent; amend required privacy notices; provide instructions for the Notice of Right to Limit Use of Sensitive Personal Information; amend methods for handling consumer requests to delete, correct, and know; set forth requirements for opt-out preference signals; and address consumer requests for limiting the use and disclosure of sensitive personal information. Comprehensive details of the modified provisions and proposed regulations are available in previous InfoBytes coverage here.

    The CPPA stated in its notice of proposed rulemaking that the proposed regulations serve three primary purposes: to (i) “update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA”; (ii) “operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law”; and (iii) “reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.” The CPPA emphasized that the proposed regulations are designed to factor in privacy laws in other jurisdictions and “implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” This design, the CPPA said, will simplify compliance for businesses operating across jurisdictions and avoid unnecessary confusion for consumers who may not understand which laws apply to them.

    A hearing on the proposed regulations is scheduled for August 24 and 25. Comments are due August 23.

    Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance State Issues California CPRA CCPA CPPA Consumer Protection

  • DFPI concludes MTA licensure not required for donations to NPOs

    Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to certain agent of payee requirements. The redacted opinion letter examines whether the inquiring company’s product for donations to nonprofit organizations (NPOs) is exempt from the MTA. DFPI also reviewed whether: (i) money held by the company in an operating account, related to MTA-exempt activities such as NPO donations, is stored value; and (ii) closed loop transactions, and specific bank-issued open-loop gift cards without cash access, are exempt from the MTA. The Washington state-headquartered company sells reward programs to businesses that are used to incentivize purchases by their customers, reward customer loyalty, and reward employee performance. The opinion letter does not address closed loop gift cards and open loop gift cards, as DFPI previously issued an opinion letter regarding these products on February 19, 2020, nor does it address a yet-to-be introduced reward program that deposits cash into a recipient’s account or provides credit to a specified credit card as the company already acknowledges that this service constitutes regulated activity under the MTA. 

    However, the opinion letter does address circumstances when an NPO donation is selected by a recipient from the company’s reward options. In this instance, the reward amount is transferred from the company’s operating account to its custodial bank account designated “For the Benefit Of Customers” held at a national bank. The company then “aggregates contributions to each NPO and distributes these amounts, less its 8% administrative fee, directly to the NPOs on a weekly basis.” According to the company, “[f]unds do not move out of the NPO Account until these payments are made and the NPO Account is not used for any purposes other than NPO Donations.” DFPI concluded that the company’s current NPO agreement satisfies the agent of payee requirements for exemption from the MTA, and that as such, NPO donations are not a regulated activity. Specifically, the company’s NPO agreement provides that the company is appointed as the NPO’s agent and is obligated to remit all funds collected on the NPO’s behalf to the NPO. Receipt of the funds from the company’s client “constitutes receipt by the NPO, even if the NPO does not receive the funds from [the client].” The company, and not the client or recipient, is solely responsible to the NPO, DFPI said, adding that “[c]lient funds temporarily being held in [the company’s bank] operating account in prepayment for closed loop gift cards, bank-issued open loop gift cards, and NPO donations are not stored value.”

    Licensing State Issues DFPI Nonprofit California Money Transmission Act California State Regulators

  • District Court preliminarily approves $3.7 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.

    Privacy/Cyber Risk & Data Security Courts State Issues Class Action Data Breach California Settlement

  • DFPI seeks to regulate commercial financial products and services under the CCFPL

    State Issues

    Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, the CCFPL became law in 2020 and, among other things, (i) establishes UDAAP authority for the DFPI; (ii) authorizes the DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful (thus going beyond both Dodd-Frank and existing California law); (iii) provides the DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that enforcement of the CCFPL will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), the law expands the DFPI’s oversight authority to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.

    The NPRM proposes new rules to implement sections 22159, 22800, 22804, 90005, 90009, 90012, and 90015 of the CCFPL related to the offering and provision of commercial financing and other financial products and services to small businesses, nonprofits, and family farms. According to DFPI’s notice, section 22800 subdivision (d) authorizes the Department to define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing. Section 90009, subdivision (e), among other things, authorizes the Department’s rulemaking to include data collection and reporting on the provision of commercial financing or other financial products and services.

    Among other things, the NPRM:

    • Clarifies that the CCFPL makes it unlawful for covered providers, as defined, to engage in unfair, deceptive, or abusive acts or practices;
    • Provides standards for determining whether an act or practice is unfair, deceptive, or abusive;
    • Defines small business, nonprofit, and family farm, among other terms;
    • Clarifies DFPI's ability to enforce the regulation’s provisions;
    • Requires covered providers to submit annual reports containing information about their provision of commercial financing or other financial products and services to small businesses, nonprofits, and family farms;
    • Identifies persons excluded from the reporting requirement;
    • Specifies the information required in the reports, as well as provide guidance on calculating or determining certain information;
    • Clarifies the obligations of those also submitting annual reports to DFPI as licensees under the California Financing Law.

    Written comments on the NPRM are due by August 8.

    State Issues Agency Rule-Making & Guidance DFPI California Commercial Finance UDAAP Small Business Financing

Pages

Upcoming Events