InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California: TILA does not preempt state laws on commercial financial disclosure
On January 20, California Attorney General Rob Bonta sent a comment letter to CFPB Director Rohit Chopra in response to a preliminary determination issued by the Bureau in December, which concluded that commercial financial disclosure laws in four states (New York, California, Utah, and Virginia) are not preempted by TILA. As previously covered by InfoBytes, the Bureau issued a Notice of Intent to Make Preemption Determination under the Truth in Lending Act seeking comments pursuant to Appendix A of Regulation Z on whether it should finalize its preliminary determination. The Bureau noted that a number of states have recently enacted laws requiring improved disclosures of information contained in commercial financing transactions, including loans to small businesses, to mitigate predatory small business lending and improve transparency. In making its preliminary determination, the Bureau concluded that the state and federal laws do not appear “contradictory” for preemption purposes, explaining, among other things, that the statutes govern different transactions (commercial finance rather than consumer credit).
Under the California Commercial Financing Disclosures Law (CFDL), companies are required to disclose various financing terms, including the “total dollar cost of the financing” and the “total cost of the financing expressed as an annualized rate.” Bonta explained that the CFDL only applies to commercial financing arrangements (and not to consumer credit transactions) and “was enacted in 2018 to help small businesses navigate a complicated commercial financing market by mandating uniform disclosures of certain credit terms in a manner similar to TILA’s requirements, but for commercial transactions that are unregulated by TILA.” He pointed out that disclosures required under the CFDL do not conflict with those required by TILA, and emphasized that there is no material difference between the disclosures required by the two statutes, even if TILA were to apply to commercial financing. According to Bonta, should TILA preempt the CFDL’s disclosure requirements, there would be no required disclosures at all for commercial credit in the state, which would make it challenging for small businesses to make informed choices about commercial financing arrangements.
While Bonta agreed with the Bureau’s determination that TILA does not preempt the CFDL, he urged the Bureau to “articulate a narrower standard that emphasizes that preemption should be limited to situations where it is impossible to comply with both TILA and the state law or where the state law stands as an obstacle to the full purposes [of] TILA, which is to provide consumers with full and meaningful disclosure of credit terms in consumer credit transactions.” He added that the Bureau “should also reemphasize certain principles from prior [Federal Reserve Board] decisions, including that state laws are preempted only to the extent of actual conflict and that state laws requiring additional disclosures—or disclosures in transactions not addressed by TILA—are not preempted.”
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
DFPI modifies Student Loan Servicing Act proposal
On January 6, the California Department of Financial Protection and Innovation issued modified proposed regulations under the Student Loan Servicing Act (Act), which provides for the licensure, regulation, and oversight of student loan servicers by DFPI (covered by InfoBytes here). Last September, DFPI issued proposed rules to clarify, among other things, that income share agreements (ISAs) and installment contracts, which use terminology and documentation distinct from traditional loans, serve the same purpose as traditional loans (i.e., “help pay the cost of a student’s higher education”), and are therefore student loans subject to the Act. As such, servicers of these products must be licensed and comply with all applicable laws, DFPI said. (Covered by InfoBytes here.) The initial proposed rules also (i) defined the term “education financing products” (which now fall under the purview of the Act) along with other related terms; (ii) amended various license application requirements, including financial requirements for startup applicants; (iii) outlined provisions related to non-licensee filing requirements (e.g., requirements for servicers that do not require a license but that are subject to the Student Loans: Borrower Rights Law, which was enacted in 2020 (effective January 1, 2021)); (iv) specified that servicers of all education financing products must submit annual aggregate student loan servicing reports to DFPI; and (v) outlined new clarifications to the Student Loans: Borrower Rights Law to provide new requirements for student loan servicers (covered by InfoBytes here).
Following its consideration of public comments on the initial proposed rulemaking, DFPI is proposing the following changes:
- Amendments to definitions. The modified regulations revise the definition of “education financing products” by changing “private loans” to “private education loans,” which are not traditional loans. DFPI explained that changing the term to what is used in TILA will provide consistency for servicers and eliminate operational burdens. While the definition of “education financing products” also no longer includes “income share agreements and installment contracts” in order to align it with TILA, both of these terms were separately defined in the initial proposed rulemaking. The definition of “traditional student loan” has also been revised to distinguish which private student loans are traditional loans and which are education financing products (in order to help servicers determine the applicable aggregate reporting and records maintenance rules). The modifications also revise the definitions of “federal student loan,” “income,” “income share agreement,” “installment contract,” “payment cap,” “payment term,” and “qualifying payments,” remove unnecessary alternative terms for “income share,” and add “maximum payments” as a new defined term.
- Time zone requirement revisions. The modified regulations revise the time zone in which a payment must be received to be considered on-time to Pacific Time in order to protect California borrowers.
- Additional borrower protections. The modified regulations specify that servicers are required to send written acknowledgement of receipt and responses to qualified written requests via a borrower’s preferred method of communication. For borrowers who do not specify a preferred method, servicers must send acknowledgments and responses through both postal mail to the last known address and to all email addresses on record.
- Examinations, books, and records requirement updates. The modified regulations revise the information that servicers must provide in their aggregate reports for traditional student loans, including with respect to: (i) loan balance and status; (ii) cumulative balances and amounts paid; and (iii) aggregate information specific to ISAs, installment contracts, and other education financing products. Additionally, DFPI clarified that while the amount a borrower will be required to pay to an ISA provider in the future is unknown, many ISAs contain an “early completion” provision to allow a borrower to extinguish future obligations, and ISA providers must give this information to borrowers. DFPI further clarified that while servicers may choose to maintain records electronically, they must also be able to produce paper records for inspection at a DFPI-designated servicer location to allow an examination to be conducted in one place.
Comments on the modified regulations are due January 26.
DFPI issues recommendations for engaging in crypto technologies
In December, the California Department of Financial Protection and Innovation (DFPI) issued a report identifying six recommendations for how California should engage with blockchain and Web3 industries. The report follows a May 2022 Executive Order (E.O.) from the California governor to create a regulatory and business environment for blockchain and cryptocurrency companies that balances the benefits and risks to consumers. As previously covered by InfoBytes, one of the priorities of the E.O. included for DFPI to, among other things, engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in California. The report made six recommendations to “encourage the continued growth and adoption of blockchain technology.”
- Engagement with stakeholders. The state should “continue dialogue with industry, advocates, and regulators to stay apprised of new technologies, products, definitions and risks.”
- Consumer protection and education. The state should promote consumer protection and consumer education about blockchain and crypto products, which includes, among other things: (i) training staff to better supervise regulated entities, products, and services; (ii) increasing efforts to educate Californians on how to use certain crypto-asset related financial products and services; and (iii) developing and publishing “standards for use in reviewing crypto asset-related securities to help provide more meaningful investor disclosures and to allow companies who wish to offer such securities more quickly and efficiently.”
- Legislation and regulation. The state should identify legislative gaps and clarify statutory authority regarding crypto assets. DFPI will attempt to harmonize California’s regulatory approach with federal regulators, other states, and local jurisdictions.
- Government use. The state should consider ways to use blockchain technology to “increase efficiencies, improve access, and reduce costs.”
- Environmental protection. The state should encourage more environmentally efficient blockchain technologies and explore policy interventions to reduce energy use.
- Workforce and economic development. The state should tap its higher education systems to help support and grow the blockchain sector and related technologies.
National bank to pay $2 million in mortgage fee violation class action
On December 19, the U.S. District Court for the Central District of California granted final approval of a settlement in a $2 million class action resolving allegations that a national bank violated California’s Rosenthal Fair Debt Collection Practices Act (RFDCPA) and Unfair Competition Law (UCL). According to the order for preliminary approval, the plaintiff class alleged that the bank improperly charged and collected transaction fees when processing mortgage payments. The district court certified the class, which included “all persons who have or had a California address, and at any time between June 1, 2016 and the date of the Court’s order preliminarily approving the settlement, paid at least one transaction fee to [the defendant] for making a payment on a residential mortgage loan serviced by [the defendant] by telephone, IVR, or the internet.” The district court determined that the settlement agreement was “reasonable and adequate.” The two class representatives who filed the suit were awarded $1,500 each, and their attorneys were awarded $499,000 in fees.
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Bank to pay $2 million in collection call suit
On December 14, a Superior Court of California granted a stipulated final judgment resolving claims that a national bank (defendant) violated the Rosenthal Fair Debt Collection Practices Act (RDCPA) and the FDCPA by making “harassing and annoying” debt collection calls to its customers. According to the stipulated final judgment, since at least March 2015, the defendant allegedly violated California and federal law by making phone calls with “unreasonably excessive frequency,” while also persisting in calling wrong numbers in attempts to collect on unpaid debts. The defendant, which did not admit any liability or wrongdoing, agreed to, among other things: (i) adopt or maintain policies and procedures to avoid such harassing calls; (ii) limit the number of calls it will make as part of its future debt collection efforts; and (iii) cease calling those who ask orally or in writing that they not be contacted. Under the terms of the stipulated final judgment, the defendant must pay $1.45 million in civil penalties, $300,000 in investigative costs, and $250,000 in restitution.
DFPI orders online platform to cease offering crypto-related products
On December 21, the California Department of Financial Protection and Innovation (DFPI) announced it has ordered an online platform offering several crypto-related services and products to desist and refrain from violating the California Securities Law and the California Consumer Financial Protection Law. According to DFPI, the company, which is registered with the California Secretary of State, offers services including (i) a peer-to-peer loan brokering service in which it claims that loans are secured by borrowers’ crypto assets; (ii) an interest-bearing crypto asset account that promises a fixed annual percentage rate yield; and (iii) an interest-bearing fiat account that promises a fixed annual percentage interest rate return. DFPI maintained that the company engaged in unlicensed loan brokering by offering and providing brokering services for personal loans made from one consumer to another (known as peer-to-peer lending), and conducted the unregistered sale of securities, in which consumers’ assets were pooled together with the stated purpose of generating passive returns. DFPI claimed that the company was and is not registered to offer investment contracts or to operate in this capacity with any relevant authority. Finding that these peer-to-peer lending services and interest-bearing accounts violate state law, including a prohibition against engaging in unlawful acts or practices, DFPI ordered the company to stop offering the services and products in California.
California privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.
DFPI issues reminder to debt collection licensing applicants
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a reminder that starting January 1, 2023, the agency will begin approving applications under the Debt Collection Licensing Act. As previously covered by InfoBytes, the California governor signed AB 156 in September to allow any debt collector that submits an application to the DFPI commissioner by January 1, 2023, to operate pending the approval or denial of the application. DFPI reminded applicants that background checks will be performed at a later date. The period for individuals to provide fingerprints upon request from DFPI is extended from 60 to 90 days. Written notification will be sent to applicants through the Nationwide Multi-State Licensing System 90 days prior to fingerprinting being due. Additionally, DFPI stated that due to the delay in the application process, final approvals may be delayed. Further announcements will be issued in the coming weeks concerning conditional approvals, DFPI said, noting that it will provide at least 30 days' notice before implementing any changes to existing processes.