Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Washington enacts SB 6025 addressing certain lending practices

    State Issues

    On March 25, the Governor of the State of Washington signed SB 6025 (the "Act”) into law. The Act would prohibit covered entities from (i) making loans disguised as personal property sale or leaseback transactions; (ii) offering cash rebates as a cover for installment sales; or (iii) making loans with interest rates or charges surpassing legal limits, among other things. The Act also amended portions of Washington State’s Consumer Loan Act (CLA). The Act would provide that non-bank services companies may be lenders under the CLA if such company would hold the “predominate interest in the loan” or “totality of the circumstances indicate that the [company] is the lender.” These changes will go into effect on June 6.

    State Issues Washington State Legislation Consumer Finance Consumer Protection

  • Washington State enshrines new act on uniform special deposits

    State Issues

    On March 13, the Governor of Washington State signed into law SB 5801, enshrining a new chapter titled the Uniform Special Deposits Act. The law will apply to special deposits under account agreements that intend to establish a special deposit. In Section 5, a “special deposit” is characterized as a bank deposit for the benefit of two or more beneficiaries, denominated in a currency for the purposes stated in the account agreement, and “subject to a contingency.” The law further described the process for determining a permissible purpose, payment to a beneficiary by a bank, and the duties and liability of the bank, among others. It also described that, unless provided for in the account agreement, special deposits will terminate five years after the date it was first funded. The Uniform Special Deposits Act will go into effect July 1.

    State Issues Washington Deposits State Legislation

  • Plaintiffs seek preliminary approval of $9 million class action settlement involving unsolicited texts


    On February 8, the U.S. District Court for the Western District of Washington received an unopposed motion for preliminary approval of a class action settlement against a broker-dealer alleging that the defendant violated the Washington Commercial Electronic Mail Act (CEMA) and the Washington Consumer Protection Act (CPA) by having consumers send “unsolicited advertising text messages” to other Washingtonians through a referral program. The proposed settlement would establish a $9 million settlement fund that would compensate an estimated one million affected class members, consisting of consumers who received a referral program text message during the relevant period, were Washington residents, and did not “clearly and affirmatively” consent to receive referral program text messages.

    Courts Class Action Settlement Broker-Dealer Washington

  • Washington State Attorney General wins two suits under medical billing practices

    State Issues

    On February 1, the Attorney General from Washington State successfully sued a large healthcare group to pay over $158 million for settlement of funds under the state’s Consumer Protection Act (CPA). The Washington AG stated that the healthcare group violated state law which requires hospital management to notify patients about financial assistance and to screen them for eligibility before trying to collect payment. The healthcare group has been ordered to pay $20.6 million in patient refunds and will forgive $137.2 million in medical debts; it will also pay $4.5 million to cover the attorney general’s costs. Among others, the consent decree includes several injunctions to be engaged in or refrained from for five years, including maintaining charity care policies, and not collecting payment for medical services unless presented with either of two stated stipulations. Lastly, the consent decree states that if the healthcare group violates a condition, it would have to pay up to $125,000 per violation. The defendants do not admit the allegations of the complaints filed in the first lawsuit from February 2022. 

    Similarly, on February 2 the Washington AG successfully entered into a motion for partial summary judgment against a medical debt collection agency working within the healthcare group for sending 82,729 debt collection notices under the Collection Agency Act (CAA). The court agreed with the AG’s finding that the agency’s debt collection notices failed to make the required disclosures under the CAA. Damages have not yet been awarded. 

    State Issues Medical Debt FDCPA Washington State Attorney General

  • Washington Appeals Court disagrees with appellant in a class action data breach; affirms lower court’s decision


    On January 8, the Washington State Court of Appeals affirmed superior court rulings granting final approval to a class action settlement, denying a motion to consolidate six class action lawsuits, and approving a class notice plan. According to the opinion, in 2021, the U.S. Department of Health and Human Services notified the respondent company, a nonprofit organization serving low-income individuals, of a data breach that exposed the social security numbers of 163,499 individuals. In 2022, appellant filed a class action lawsuit against the respondent company, one of six such separate class action lawsuits. The appellant filed a motion to consolidate the six pending class action lawsuits, which was denied. Subsequently, plaintiffs in one of the class action lawsuits signed a settlement agreement and release that would release, discharge, and bar all claims asserted in the other class action lawsuits and provide compensation anywhere from $100 to $25,000 to impacted individuals. The appellant plaintiff then filed the instant appeal alleging that the lower court abused its discretion by denying her motion to consolidate the six actions, that the class action plan failed to provide reasonable notice, and that the settlement was not fair, reasonable, or adequate because “the settlement is the product of collusion between the settling parties.” The appellate court disagreed and ultimately upheld the lower court’s rulings. 

    Courts Washington Appellate Data Breach Unfair DHHS Class Action

  • District Court denies motion to dismiss State Attorneys’ General case against “subprime lender”


    On January 12, the U.S. District Court for the Eastern District of Pennsylvania denied a defendant’s motion to dismiss a case brought by five State Attorneys General (State AGs) from Pennsylvania, New Jersey, Oregon, Washington, and D.C. seeking to enforce the CFPA. The State AGs allege the defendant engaged in “predatory lending practices” that violate state and federal law. As covered by InfoBytes, in Spring 2022, the CFPB issued an interpretive rule clarifying that states have the authority to enforce federal financial consumer protection laws, such as the CFPA. This interpretive rule led to partisan attacks claiming the CFPB was “colluding” with state regulators, as covered by InfoBytes here.

    The defendant is a state-licensed and regulated “subprime installment lender” operating in 28 states. As noted in the opinion, the defendant offers loans between $1,000 and $25,000, with terms between 12 and 60 months and charges interest at rates ranging from 18.99% to 35.99% with an average APR of 28%, and average loan size of around $3,650.

    In addition to the complaint regarding subprime loans, the State AGs assert that the defendant “deceptively ‘adds-on’” various insurance options to consumers’ loans and targets a financially vulnerable population: those with a credit score of 629 or less who “often already have significant… debt[.]”. The State AGs seek injunctive and other relief. 

    Courts Pennsylvania CFPB CFPA State Attorney General New Jersey Washington Oregon District of Columbia

  • White House convenes on reducing medical debt

    Federal Issues

    On December 8, President Biden met with over 80 federal and state officials to discuss reducing medical debts for Americans. The Biden-Harris administration desires to address medical payment products, unfair debt collection practices, surprise billing and facility fees, and charity care. This roundtable was one of several actions taken by the administration to lower Americans’ healthcare costs, in addition to (i) the CFPB’s report on how medical debt collectors pursue debts under the FDCPA, such as through misattributed billing and billing consumers without contacting them (previously covered by InfoBytes, here); and (ii) the CFPB’s proposed rule to remove medical bills from credit reports (also previously covered by InfoBytes, here). The roundtable featured speakers from the president’s council, the CFPB, the Center for Medicare and Medicaid Services, DHHS, the Treasury, and representatives from California, Colorado, and Washington.

    Federal Issues White House FDCPA CFPB DHHS Department of Treasury California Colorado Washington

  • Washington releases FAQs for My Health My Data Act

    Privacy, Cyber Risk & Data Security

    On June 20, the Washington attorney general published a series of Frequently Asked Questions (FAQs) related to the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data (covered by InfoBytes here). The FAQs include information on the law’s effective dates and applicability. According to the AG, “all persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.” Additionally, the FAQs clarify that a business that is covered by the Act must provide a link to its consumer health data privacy policy on its homepage.

    The FAQs also address a potential conflict between Sections 6 and 9 of the Act regarding the right to delete and consumers’ authorizations to sell data, respectively. Section 9 mandates that any person, not just regulated entities, must obtain consumer authorization before selling or offering to sell their data. Both the seller and purchaser are required to retain a copy of the authorization, which may contain consumer health data for  six years. However, Section 6 stipulates that consumer health data should be deleted from a regulated entity’s network upon the consumer’s request. The FAQs advise that in cases where a consumer requests deletion under Section 6, any authorizations stored under Section 9 must be redacted to eliminate any information related to the data that was sold.

    Privacy, Cyber Risk & Data Security State Issues Washington Consumer Protection Medical Data State Attorney General

  • Fintech fined over interest charges billed as tips and donations


    A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.

    The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.

    A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.

    In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.

    Fintech State Issues Licensing Enforcement Washington California Connecticut Interest TILA DFPI State Regulators State Attorney General

  • Washington State passes new health data privacy measures

    Privacy, Cyber Risk & Data Security

    On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.

    The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.

    Privacy, Cyber Risk & Data Security State Legislation State Issues Washington Consumer Protection Medical Data


Upcoming Events