InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI concludes MTA licensure not required for donations to NPOs
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to certain agent of payee requirements. The redacted opinion letter examines whether the inquiring company’s product for donations to nonprofit organizations (NPOs) is exempt from the MTA. DFPI also reviewed whether: (i) money held by the company in an operating account, related to MTA-exempt activities such as NPO donations, is stored value; and (ii) closed loop transactions, and specific bank-issued open-loop gift cards without cash access, are exempt from the MTA. The Washington state-headquartered company sells reward programs to businesses that are used to incentivize purchases by their customers, reward customer loyalty, and reward employee performance. The opinion letter does not address closed loop gift cards and open loop gift cards, as DFPI previously issued an opinion letter regarding these products on February 19, 2020, nor does it address a yet-to-be introduced reward program that deposits cash into a recipient’s account or provides credit to a specified credit card as the company already acknowledges that this service constitutes regulated activity under the MTA.
However, the opinion letter does address circumstances when an NPO donation is selected by a recipient from the company’s reward options. In this instance, the reward amount is transferred from the company’s operating account to its custodial bank account designated “For the Benefit Of Customers” held at a national bank. The company then “aggregates contributions to each NPO and distributes these amounts, less its 8% administrative fee, directly to the NPOs on a weekly basis.” According to the company, “[f]unds do not move out of the NPO Account until these payments are made and the NPO Account is not used for any purposes other than NPO Donations.” DFPI concluded that the company’s current NPO agreement satisfies the agent of payee requirements for exemption from the MTA, and that as such, NPO donations are not a regulated activity. Specifically, the company’s NPO agreement provides that the company is appointed as the NPO’s agent and is obligated to remit all funds collected on the NPO’s behalf to the NPO. Receipt of the funds from the company’s client “constitutes receipt by the NPO, even if the NPO does not receive the funds from [the client].” The company, and not the client or recipient, is solely responsible to the NPO, DFPI said, adding that “[c]lient funds temporarily being held in [the company’s bank] operating account in prepayment for closed loop gift cards, bank-issued open loop gift cards, and NPO donations are not stored value.”
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.
DFPI seeks to regulate commercial financial products and services under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, the CCFPL became law in 2020 and, among other things, (i) establishes UDAAP authority for the DFPI; (ii) authorizes the DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful (thus going beyond both Dodd-Frank and existing California law); (iii) provides the DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that enforcement of the CCFPL will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), the law expands the DFPI’s oversight authority to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement sections 22159, 22800, 22804, 90005, 90009, 90012, and 90015 of the CCFPL related to the offering and provision of commercial financing and other financial products and services to small businesses, nonprofits, and family farms. According to DFPI’s notice, section 22800 subdivision (d) authorizes the Department to define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing. Section 90009, subdivision (e), among other things, authorizes the Department’s rulemaking to include data collection and reporting on the provision of commercial financing or other financial products and services.
Among other things, the NPRM:
- Clarifies that the CCFPL makes it unlawful for covered providers, as defined, to engage in unfair, deceptive, or abusive acts or practices;
- Provides standards for determining whether an act or practice is unfair, deceptive, or abusive;
- Defines small business, nonprofit, and family farm, among other terms;
- Clarifies DFPI's ability to enforce the regulation’s provisions;
- Requires covered providers to submit annual reports containing information about their provision of commercial financing or other financial products and services to small businesses, nonprofits, and family farms;
- Identifies persons excluded from the reporting requirement;
- Specifies the information required in the reports, as well as provide guidance on calculating or determining certain information;
- Clarifies the obligations of those also submitting annual reports to DFPI as licensees under the California Financing Law.
Written comments on the NPRM are due by August 8.
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.
California appeals court says lender cannot move bitcoin loan suit to Delaware
On June 14, the California Court of Appeal for the Second Appellate District reversed a trial court’s decision staying a suit against a lender and its loan payment processor (collectively, “defendants”) and enforcing a Delaware forum selection clause. The appeals court held that the plaintiff borrower’s unwaivable right to a jury trial under California law could be violated if the case proceeded in Delaware. According to the opinion, the plaintiff obtained $2.275 million in loans secured by bitcoin from the lender (a Delaware LLC that is licensed and regulated by California’s Department of Financial Protection and Innovation). When the value of bitcoin dropped, the lender sold the plaintiff’s bitcoin under the terms of the governing loan agreements. The plaintiff sued, “seeking, among other things, damages, return of his bitcoin, and cancellation of the loan agreements.” The defendants moved to stay the case because the Delaware forum selection clause required the case to be litigated in Delaware. The plaintiff countered that transferring the case to Delaware would “substantially diminish” his unwaivable rights under California law. The trial court eventually concluded that transferring the case to Delaware would not diminish the plaintiff’s rights and granted the stay pending litigation in Delaware. The trial court also stayed a second suit brought by the plaintiff alleging violations of California’s Unfair Competition Law and False Advertising Law, holding that the second suit involved the same primary rights as the first suit.
In reviewing the consolidated cases, the appeals court determined, among other things, that the Delaware forum selection clause in this case contains a predispute jury waiver. “Because California has a fundamental policy against such a waiver, Defendants carry the burden of proving that Delaware would not diminish this important right,” the appeals court wrote, adding that under Delaware law “contractual provisions that waive the contracting parties’ right to trial by jury have been upheld, and relevant case law provides insufficient assurance that Delaware courts will apply California’s important public policy to this dispute.” Additionally, the appeals court concluded that the defendants’ proposed “offer to stipulate that the Delaware court should apply California law” provides “little assurance that a Delaware court would enforce such a stipulation under the facts present here.”
CA approves commercial financing disclosure regs
On June 9, the California Office of Administrative Law (OAL) approved the Department of Financial Protection and Innovation’s (DFPI) proposed commercial financial disclosure regulations. The regulations implement commercial financing disclosure requirements under SB 1235 (Chapter 1011, Statutes of 2018). (See also DFPI press release here.) As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances.
Notably, SB 1235 does not apply to (i) depository institutions; (ii) lenders regulated under the federal Farm Credit Act; (iii) commercial financing transactions secured by real property; (iv) a commercial financing transaction in which the recipient is a vehicle dealer, vehicle rental company, or affiliated company, and meets other specified requirements; and (v) a lender who makes no more than one applicable transaction in California in a 12-month period or a lender who makes five or fewer applicable transactions that are incidental to the lender’s business in a 12-month period. The act also does not cover true leases (but will apply to bargain-purchase leases), commercial loans under $5,000 (which are considered consumer loans in California regardless of any business-purpose and subject to separate disclosure requirements), and commercial financing offers greater than $500,000.
California released four rounds of draft proposed regulations between 2019 and 2021 to solicit public comments on various iterations of the proposed text (covered by InfoBytes here). In conjunction with the approved regulations, DFPI released a final statement of reasons that outlines specific revisions and discusses the agency’s responses to public comments.
Among other things, the regulations:
- Clarify that a nondepository institution providing technology or support services to a depository institution’s commercial financing program is not required to provide disclosures, provided “the nondepository institution has no interest, or arrangement or agreement to purchase any interest in the commercial financing extended by the depository institution in connection with such program, and the commercial financing program is not branded with a trademark owned by the nondepository institution.”
- Provide detailed instructions for the content and layout of disclosures, including specific rows and columns that must be used for a disclosure table and the terms that must appear in each section of the table, that are to be delivered at the time a specific type of commercial financing offer equal to or less than $500,000 is extended.
- Cover the following commercial loan transactions: closed-end transactions, commercial open-end credit plans, factoring transactions, sales-based financing, lease financing, asset-based lending transactions. Disclosure formatting and content requirements are also provided for all other commercial financing transactions that do not fit within the other categories.
- Require disclosures to provide, among other things, the amount financed; itemization of the amount financed; annual percentage rate (the regulations provide category-specific calculation instructions); finance charges (estimated and total); payment methods, including the frequency and terms for both variable and fixed rate financing; details related to prepayment policies; and estimated loan repayment terms.
The regulations take effect December 9.
District Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.
California’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
DFPI requests comments on oversight of crypto asset-related financial products and services
On June 1, the California Department of Financial Protection and Innovation (DFPI) issued a request for public comments from stakeholders on developing guidance related to the oversight of crypto asset-related financial products and services. DFPI will proceed with rulemaking under the authority of the California Consumer Financial Protection Law (CCFPL). The request is in accordance with an executive order issued by the California governor last month, which called on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. (Covered by InfoBytes here.) DFPI’s request outlines various topics and questions concerning regulatory priorities, CCFPL regulation and supervision, and marketing monitoring functions, but notes that stakeholders “may comment on any potential area for rulemaking relating to crypto asset-related financial products and services,” including under other statutes administered or enforced by DFPI such as the Corporate Securities Law, Escrow Law, California Financing Law, or Money Transmission Act. The deadline to submit comments is August 5.
DFPI issues NPRM to implement process for handling consumer complaints and inquiries under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement and interpret certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, AB 1864 was signed in 2020 to enact the CCFPL, which, among other things: (i) establishes UDAAP authority for DFPI; (ii) authorizes DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful, arguably representing an enhancement of DFPI’s enforcement powers in contrast to Dodd-Frank and existing California law; (iii) provides DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that administration of the law will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), DFPI’s oversight authority was expanded to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement section 90008, subdivisions (a), (b), and (d)(2)(D), of the CCFPL related to consumer complaints and inquires. According to DFPI’s notice, section 90008 subdivisions (a) and (b) authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries. Additionally, subdivision (d)(2)(D) “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
Among other things, the NPRM:
- Identifies entities exempt from the consumer complaints and inquiries requirements;
- Requires covered persons to respond to consumer complaints and to establish policies and procedures for receiving and responding to complaints, including providing a complaint form, acknowledging receipt of complaints, tracking complaints, the timeline for responding to complaints, the contents for such a response, and recordkeeping of such complaints;
- Sets forth requirements for responding to complaints, including documenting when complaints do not require further investigation, performing an investigation of a complaint if warranted, and requiring corrective action to resolve a complaint such as an account adjustment, credit, or refund, and appropriate steps to prevent recurrence of the issue, which may include policy changes and employee training;
- Requires designation of an officer with primary responsibility for the complaint process;
- Requires covered persons to submit to DFPI a quarterly complaint report, which will be made public, and an annual inquiries report;
- Sets forth requirements for covered persons to respond to inquiries from consumers and develop and implement written policies and procedures for responding to such inquiries;
- Provides that covered persons must develop and implement written policies and procedures for responding to requests from DFPI regarding consumer complaints; and
- Exempts certain information, such as nonpublic or confidential information, including confidential supervisory information, from disclosure to consumers.
Written comments on the NPRM are due by July 5.