Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California enacts licensing requirements for digital asset businesses, regulation of crypto kiosks

    On October 13, the California Governor signed AB 39, which will create a licensing requirement for businesses engaging in digital financial asset business activity. Crypto businesses will need to apply for a license with California’s Department of Financial Protection and Innovation (DFPI). The bill, among other things, (i) empowers DFPI to conduct examinations of a licensee; (ii) defines “digital financial asset” as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified”; (iii) empowers DFPI to conduct enforcement actions against a licensee or a non-licensed individual who engages in crypto business with, or on behalf of, a California resident for up to five years after their activity; (iv) allows DFPI to assess civil money penalties of up to $20,000 for each day a licensee is in material violation of the law, and up to $100,000 for each day an unlicensed person is in violation; and (v) requires licensees to provide certain disclosures to California clientele, such as when and how users may receive fees and charges, and how they are calculated. The new law exempts most government entities, certain financial institutions, most people who solely provide connectivity software, computing power, data storage or security services, and people engaging with digital assets for personal, family, household or academic use or whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year. In September of last year, the California Governor vetoed a similar bill because creating a licensing framework was “premature” considering conflicting efforts.

    Also effective on July 1, 2025 is SB 401, which was also enacted on October 13. SB 401 establishes regulations for crypto kiosks under the DFPI’s authority. It will, among other things, prohibit kiosk operators from accepting or dispensing more than $1,000 in a single day to or form a customer via a kiosk. Operators would be required to furnish written disclosures detailing the transaction's terms and conditions as well as transaction details. Kiosk operators will also be obligated to provide customers with a receipt for any transaction at their kiosk, including both the amount of a digital financial asset or USD involved in a transaction and, in USD, any fees, expenses, and charges collected by the kiosk operator. Finally, operators will be required to provide DFPI with a list of all its crypto kiosks in California, and such list will be made public.

    Licensing State Issues California DFPI State Legislation Cryptocurrency Digital Assets Disclosures

  • California enacts law to extend commercial financing cost disclosure requirement

    State Issues

    On October 7, the California governor signed SB 33 to, among other things, continue to require covered providers offering commercial loans to disclose the total cost of financing expressed as an annualized rate indefinitely. Existing law currently required this disclosure only until January 1, 2024.

    SB 33 is effective January 1, 2024.

    State Issues California State Legislation Commercial Finance Disclosures Consumer Finance

  • California enacts new data broker regulations

    State Issues

    The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.

    Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.

    The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.

     

    State Issues Privacy, Cyber Risk & Data Security State Legislation California CPPA Data Brokers Consumer Protection

  • California enacts amendments to the Consumers Legal Remedies Act: Advertisements

    State Issues

    On October 7, the California governor approved SB 478 (the “Act”), enacting amendments to the Consumers Legal Remedies Act designed to prohibit “drip pricing,” which involves advertising a price that is lower than the actual price a consumer will have to pay for a good or service. The Act, with specified exceptions, will make advertising the price of a good or service excluding additional fees or charges other than taxes, unlawful. The California Legislature declared that the Act is not intended to prohibit any particular method of determining prices for goods or services, including algorithmic or dynamic pricing. Instead, it is intended to regulate how prices are advertised, displayed, and/or offered.

    The Act is effective July 1, 2024.

    State Issues State Legislation Advertisement Unfair California Consumer Protection

  • CPPA continues efforts towards California Privacy Rights Act

    State Issues

    The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).

    Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.

    The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.

    The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.

    State Issues Privacy California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection

  • California AG advocates for medical payment reforms

    State Issues

    California Attorney General Rob Bonta submitted a letter to federal agencies urging the federal government to adopt regulations and statutory protections to help protect patients who may need to use medical credit cards and installment loans to pay for healthcare-related bills.

    The letter notes that medical payment products exacerbate health disparities, that patients seeking medical care may not be in an appropriate position to make complex financial decisions, and offers California’s protections against medical payment products as a model framework.

    In the letter, which is addressed to the U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, the CFPB, and the Treasury, Bonta recommends (i) designating medical credit card debt as medical debt and not consumer debt; (ii) ensuring providers properly screen patients for financial aid and charity care before offering a medical payment product; (iii) limiting enrollment when patients may be distressed or under the influence of medication; (iv) providing written notice of financial assistance and potential eligibility for charity care; (v) making reasonable efforts to notify patients about the level of insurance coverage of medical expenses; and (vi) reducing patient cost-sharing responsibilities.

    State Issues California State Attorney General Medical Debt Consumer Finance Consumer Protection

  • California governor signs executive order on GenAI

    State Issues

    On September 6, California Governor Gavin Newsom signed an Executive Order (E.O.) instructing state agencies to evaluate how generative artificial intelligence (GenAI) may impact the State and its residents. Specifically, the E.O. requires certain state agencies to provide a report to the Governor which will examine “the most significant, potentially beneficial uses” of GenAI tools by the state. The report must also discuss “the potential risks to individuals, communities, and government and state government workers” from GenAI tools. Certain California agencies, including the Department of Technology, must perform a “risk analysis of potential threats to and vulnerabilities of California’s critical energy infrastructure by the use of GenAI.” The E.O. also requires that the State issue “general guidelines for public sector procurement, uses, and required training for use of GenAI,” and consider pilots of GenAI projects to be tested in “sandboxes.” Lastly, the E.O. directs the State to pursue a formal partnership with certain California higher education institutions to study the impacts of GenAI and support its safe growth.

    State Issues California Executive Order Artificial Intelligence Supervision Governors

  • California AG announces settlement with mortgage servicer

    State Issues

    On September 1, California Attorney General (AG) Rob Bonta announced a settlement with a mortgage servicer for its alleged failure to properly process and grant mortgage deferment requests from California military reservists called to active duty. California’s Military and Veterans Code, which includes the California Military Families Financial Relief Act, allows reservists to delay paying mortgages, credit cards, property taxes, car loans, utility bills, and student loans. To defer payment, they must submit a written request and their military orders to the entity to which their payments are due. The AG noted that the California Department of Justice investigated the mortgage servicer’s processes for handling mortgage deferment requests and found that the servicer delayed granting the deferment requests, requested information for eligibility review outside of the 30-day timeframe to do so, and improperly denied deferment requests, on at least 10 occasions. Furthermore, the servicer allegedly attempted to collect payment from some borrowers during the requested deferral period by making calls and sending notices that warned that the servicer would foreclose on the borrowers’ properties if they failed to pay. The servicer also allegedly incorrectly charged some borrowers late fees and other charges for nonpayment of payments that should have been deferred. Finally, the servicer allegedly provided incorrect negative credit information to credit reporting agencies.

    Under the terms of the settlement, the servicer agreed to, among other things, (i) pay $58,000 in civil money penalties; (ii) “remediate consumer harm”; (iii) disclose deferment request status to borrowers; and (iv) provide annual reports to the AG documenting compliance with the injunctive terms.

    State Issues Settlement State Attorney General California Consumer Finance Mortgage Servicing Military Lending

  • DFPI finalizes small business UDAAP and data reporting rule

    State Issues

    DFPI recently approved the final regulation for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. After considering comments and releasing three rounds of modifications to Sections 1060, 1061, and 1062, the final regulation will, among other things, bring protections to small businesses seeking loans, by (i) defining and prohibiting unfair, deceptive, and abusive acts and practices in the offering or provision of commercial financing to small businesses, nonprofits, and family farms; and (ii) establishing data collection and reporting requirements.

    Previous InfoBytes coverage on the (i) initial modifications to the CCFPL proposed regulation can be found here; (ii) the second round of CCFPL modifications proposal is found here; and (iii) the third iteration of the modified CCFPL proposal is located here.

    This DFPI regulation was notably finalized on the heels of the CFPB’s finalized Section 1071 rule on small business lending data, which similarly will require financial institutions to collect and provide the Bureau data on lending to small businesses (covered by InfoBytes here)

    Sections 1060, 1061, and 1062 will be effective on October 1.

    State Issues Agency Rule-Making & Guidance State Regulators DFPI CCFPL Commercial Finance UDAAP Small Business Lending Consumer Finance California

  • OCC announces Tropical Storm Hilary disaster relief

    On August 21, the OCC issued a proclamation providing discretion to OCC-regulated institutions to close offices affected by Tropical Storm Hilary in California, Nevada, and Arizona “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the OCC, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.

    Find continuing InfoBytes coverage on disaster relief here.

    Bank Regulatory Federal Issues OCC Disaster Relief California Nevada Arizona

Pages

Upcoming Events