Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Fintech fined over interest charges billed as tips and donations


    A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.

    The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.

    A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.

    In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.

    Fintech State Issues Licensing Enforcement Washington California Connecticut Interest TILA DFPI State Regulators State Attorney General

  • FTC, DOJ sue maker of health app over data sharing

    Federal Issues

    On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.

    The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.

    Federal Issues Privacy, Cyber Risk & Data Security FTC DOJ Consumer Protection Health Breach Notification Rule Enforcement Connecticut District of Columbia Oregon

  • Collection agency to pay $10k for operating without a license

    On March 21, the Connecticut Department of Banking fined a collection agency $10,000 and ordered it to cease and desist from collection agency activity for operating without a valid license. According to the order, the company applied for a consumer collection agency license in Connecticut in October 2022. However, during its review of the company’s application, the Department of Banking discovered that the company had been operating as a consumer collection agency without a license in the state since at least 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover back licensing fees. The company consented to the entry of the sanctions without admitting or denying any wrongdoing “solely for the purpose of obviating the need for further formal administrative proceedings,” the order said.

    Licensing State Issues Connecticut State Regulators Enforcement Debt Collection

  • Collection firm to pay $100,000 for operating without a license

    On December 1, the Connecticut Department of Banking (Department) fined a collection law firm $100,000 and ordered it to cease and desist from collection activity for operating without a valid license. According to the order, in August, the Department issued a temporary order to cease and desist, a notice of intent to issue order to cease and desist, a notice of intent to impose a civil penalty, and a notice of a right to a hearing, which provided the firm 14 days to respond to request a hearing. Furthermore, the firm was warned that if a request for hearing was not made, a cease and desist order would likely be forthcoming. During its investigation, the state discovered that in 2019, the firm was conducting unlicensed collection agency activity for about 10,000 Connecticut accounts with a total balance of about $1.4 million. The firm allegedly collected approximately $81,000 of that amount. In late 2019, the state sent the firm a certified letter regarding its collection activity and asked for a response, which was never provided. In the August order, the firm was asked to supply the state with a list of all the creditors with whom the firm has entered into agreements for consumer collection services since July 2018, including copies of all the agreements with those creditors, and an itemized list of each Connecticut debtor account that the firm had attempted collections on for the same time period.

    Licensing State Issues Connecticut Debt Collection Consumer Finance

  • Connecticut fines collection agency $100,000 and revokes license

    On August 18, the Connecticut Banking Commissioner revoked a consumer collection agency’s license after finding that it failed to provide requested information during an examination. Following an examination in May, the commissioner issued a “Notice of Automatic Suspension, Notice of Intent to Revoke Consumer Collection Agency License, Notice of Intent to Issue Order to Cease and Desist, Notice of Intent to Impose Civil Penalty and Notice of Right to Hearing” to the collection agency warning that if it failed to request a hearing within 14 days “the allegations would be deemed admitted.” According to the order, due to the collection agency’s failure to respond to the notices, the commissioner was “unable to determine that the financial responsibility, character, reputation, integrity and general fitness of Respondent are such to warrant belief that the business will be operated soundly and efficiently.” The collection agency also allegedly failed to maintain a surety bond that ran in accordance with its consumer collection agency license. The commissioner revoked the collection agency’s license to operate in the state, ordered it to cease and desist from violating Section 36a-17(e) of the 2022 Supplement to the General Statutes which requires it to make its records available, and imposed a $100,000 civil penalty.

    Licensing State Issues State Regulators Connecticut Enforcement Consumer Finance

  • Connecticut issues money transmitter advisory

    Recently, the Connecticut Department of Banking (Department) issued an advisory on money transmission, providing general guidance on what types of activities and entities must be licensed. According to the advisory, transmission can occur whenever “a person takes possession or control of monetary value belonging to another person” and holds it for a period of time, or transmits it to a third party. The Department noted that “[t]he increased use of technology to enable immediate payment mechanisms, as well as the explosion of virtual currency, has caused significant disruption to traditional money transmission systems.” The Department also acknowledged that many consumers do “not realize or understand the regulatory landscape that applies” to using money transmitters. Among other things, the advisory listed entities that traditionally provide transmission services like bill payers, payroll processors, and issuers and sellers of prepaid cards and money orders. The advisory also discussed Connecticut’s license application and penalties for unlicensed transmission, explaining that licensure goes through the Nationwide Multistate Licensing System and involves disclosing pertinent information concerning all “control persons.” 

    Licensing State Issues Connecticut State Regulators NMLS Money Service / Money Transmitters

  • Connecticut fines collection agency $10,000 for violating usury laws

    State Issues

    On June 28, the Connecticut Department of Banking issued a consent order against a licensed consumer collection agency for allegedly engaging in numerous violations of state law. These include (i) collecting on loans made by unlicensed lenders affiliated with federally-recognized Native American tribes that violate state usury laws; (ii) commingling operating monies from its business account with funds in its trust accounts; and (iii) engaging in unfair or deceptive acts or practices by advertising financial products and services of unlicensed affiliates in communications with consumers. According to the order, an examination found that the company collected on loans made by unlicensed lenders affiliated with Native American tribes that charged interest rates exceeding state limits, and that the company received payments on small loans that violated other state statutes. The Connecticut Department of Banking noted that, pursuant to a Connecticut Supreme Court decision in Great Plains Lending, LLC v. Department of Banking, consumer collection agencies are prohibited “from collecting on small loans made by unlicensed persons, including lenders affiliated with Native American tribes." Such loans are considered void and unenforceable, the Department said.

    While the company neither admitted nor denied any of the allegations, it voluntarily agreed to the imposition of sanctions to obviate the need for formal administrative proceedings. Under the terms of the consent order, the company must pay a $10,000 civil penalty, refund all amounts collected from Connecticut borrowers as payment on small loans made by unlicensed lenders affiliated with federally recognized Native-American tribes, implement appropriate policies and procedures, cease and desist from soliciting financial services products in its collection communications with consumers, and cease and desist from collecting, attempting to collect, and receiving payment on small loans not made in compliance with state law.

    State Issues Licensing Enforcement State Regulators Connecticut Usury Consumer Finance Tribal Lending

  • Collection agency to pay $10,000 for operating without a license in Connecticut

    State Issues

    On June 24, the Connecticut Department of Banking issued a consent order against a company for operating as a consumer collection agency without obtaining the proper license. According to the order, the company filed a consumer collection agency license application in Connecticut in June 2020. However, during its review of the company’s application, the Department of Banking discovered that it had been operating as a consumer collection agency without a license in the state since 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover licensing fees.

    State Issues Licensing Connecticut State Regulators Enforcement

  • Connecticut amends banking statutes

    On May 17, the Connecticut governor signed S.B. 268, which makes various revisions to state banking statutes. Among other things, the bill establishes that a money transmission license is not transferable or assignable, but a licensee may be acquired under certain circumstances. The bill also establishes that the commissioner cannot approve a state-bank’s loan production office to be established unless the commissioner has considered the out-of-state bank's record of compliance. Additionally, the bill establishes certain definitions, including the meaning of “control”, “control person,” “key individual,” and “passive investor.” The bill is effective October 1.

    Licensing State Issues State Legislation Connecticut Money Service / Money Transmitters

  • Connecticut becomes fifth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection