Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Connecticut issues money transmitter advisory

    Recently, the Connecticut Department of Banking (Department) issued an advisory on money transmission, providing general guidance on what types of activities and entities must be licensed. According to the advisory, transmission can occur whenever “a person takes possession or control of monetary value belonging to another person” and holds it for a period of time, or transmits it to a third party. The Department noted that “[t]he increased use of technology to enable immediate payment mechanisms, as well as the explosion of virtual currency, has caused significant disruption to traditional money transmission systems.” The Department also acknowledged that many consumers do “not realize or understand the regulatory landscape that applies” to using money transmitters. Among other things, the advisory listed entities that traditionally provide transmission services like bill payers, payroll processors, and issuers and sellers of prepaid cards and money orders. The advisory also discussed Connecticut’s license application and penalties for unlicensed transmission, explaining that licensure goes through the Nationwide Multistate Licensing System and involves disclosing pertinent information concerning all “control persons.” 

    Licensing State Issues Connecticut State Regulators NMLS Money Service / Money Transmitters

    Share page with AddThis
  • Connecticut fines collection agency $10,000 for violating usury laws

    State Issues

    On June 28, the Connecticut Department of Banking issued a consent order against a licensed consumer collection agency for allegedly engaging in numerous violations of state law. These include (i) collecting on loans made by unlicensed lenders affiliated with federally-recognized Native American tribes that violate state usury laws; (ii) commingling operating monies from its business account with funds in its trust accounts; and (iii) engaging in unfair or deceptive acts or practices by advertising financial products and services of unlicensed affiliates in communications with consumers. According to the order, an examination found that the company collected on loans made by unlicensed lenders affiliated with Native American tribes that charged interest rates exceeding state limits, and that the company received payments on small loans that violated other state statutes. The Connecticut Department of Banking noted that, pursuant to a Connecticut Supreme Court decision in Great Plains Lending, LLC v. Department of Banking, consumer collection agencies are prohibited “from collecting on small loans made by unlicensed persons, including lenders affiliated with Native American tribes." Such loans are considered void and unenforceable, the Department said.

    While the company neither admitted nor denied any of the allegations, it voluntarily agreed to the imposition of sanctions to obviate the need for formal administrative proceedings. Under the terms of the consent order, the company must pay a $10,000 civil penalty, refund all amounts collected from Connecticut borrowers as payment on small loans made by unlicensed lenders affiliated with federally recognized Native-American tribes, implement appropriate policies and procedures, cease and desist from soliciting financial services products in its collection communications with consumers, and cease and desist from collecting, attempting to collect, and receiving payment on small loans not made in compliance with state law.

    State Issues Licensing Enforcement State Regulators Connecticut Usury Consumer Finance Tribal Lending

    Share page with AddThis
  • Collection agency to pay $10,000 for operating without a license in Connecticut

    State Issues

    On June 24, the Connecticut Department of Banking issued a consent order against a company for operating as a consumer collection agency without obtaining the proper license. According to the order, the company filed a consumer collection agency license application in Connecticut in June 2020. However, during its review of the company’s application, the Department of Banking discovered that it had been operating as a consumer collection agency without a license in the state since 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover licensing fees.

    State Issues Licensing Connecticut State Regulators Enforcement

    Share page with AddThis
  • Connecticut amends banking statutes

    On May 17, the Connecticut governor signed S.B. 268, which makes various revisions to state banking statutes. Among other things, the bill establishes that a money transmission license is not transferable or assignable, but a licensee may be acquired under certain circumstances. The bill also establishes that the commissioner cannot approve a state-bank’s loan production office to be established unless the commissioner has considered the out-of-state bank's record of compliance. Additionally, the bill establishes certain definitions, including the meaning of “control”, “control person,” “key individual,” and “passive investor.” The bill is effective October 1.

    Licensing State Issues State Legislation Connecticut Money Service / Money Transmitters

    Share page with AddThis
  • Connecticut becomes fifth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection

    Share page with AddThis
  • Connecticut issues CDO against unlicensed small-dollar marketplace lender

    State Issues

    On May 4, the Connecticut Banking Commissioner issued a temporary cease and desist order against an unlicensed California-based marketplace lender after determining it had reason to believe the respondent allegedly violated several provision of the Connecticut General Statutes, as well as Section 1036 of the CFPA. The respondent operates a mobile application to help consumers take out small-dollar loans and solicits lenders via its website through advertisements claiming it “takes the work out of lending by vetting and organizing a marketplace of loan requests” where “[b]orrowers set their own terms and provide appreciation tips to lenders who agree to fund a loan, allowing for mutually beneficial financial outcomes.” Consumers initiate loans on the respondent’s platform for a certain amount, which includes optional monetary tips for both the lender and the respondent of up to 12 and 9 percent of the loan amount respectively. The Commissioner’s investigation noted that while the respondent touted the tips as being optional and not required for submitting a loan request or receiving funding, 100 percent of the loans originated to Connecticut consumers from June 2018 to August 2021 included a tip. When the tips were factored into the finance charge, the APRs of the Connecticut consumers’ loans ranged from 43 percent to over 4,280 percent. During the identified time period, loan disclosures identified the amount of the tips for each loan; however, starting in April 2021, the revised disclosures and promissory notes removed any itemization of the tips, and promissory notes allegedly “failed to indicate any obligation of the borrower to pay tips on their loans.” According to the Commissioner, the corresponding disclosures “stated that only one payment, for the principal loan amount, was due at the end of the loan,” however on the loan’s due date, the total loan amount including tips was withdrawn from the consumer’s account. Additionally, disclosures allegedly informed consumers that the APR on the loans was zero percent even though all the loans carried much higher APRs.

    The Commissioner further concluded that the respondent prohibited direct communication between consumers and lenders and charged several fees on delinquent loans, including late fees and recovery fees for its collection efforts. Moreover, at least one of the contracted collection agencies was not licensed in the state, nor was the respondent licensed as a small loan company in Connecticut, and nor did it qualify for a licensure exemption.

    In issuing its order to cease and desist, order to make restitution, and notice of intent to impose a civil penalty and other equitable relief, the Commissioner stated that the respondent’s “offering, soliciting, brokering, directly or indirectly arranging, placing or finding a small loan for a prospective Connecticut borrower, without the required license” constitutes at least 1,600 violations of the Connecticut General Statutes. The Commissioner cited additional violations, which included engaging in unlicensed activities such as lead generation and debt collection, and cited the respondent for providing false and misleading information related to the terms and costs of the loan transactions in violation of both state law and the CFPA’s prohibition against deceptive acts or practices. In addition to ordering the respondent to immediately cease and desist from engaging in the alleged violations, the Commissioner ordered the respondent to repay any amounts received from Connecticut consumers in connection with their loan, plus interest.

    State Issues Licensing Connecticut State Regulators CFPA UDAAP Deceptive Consumer Finance Small Dollar Lending Interest Rate Disclosures

    Share page with AddThis
  • Connecticut legislature passes consumer data privacy bill

    Privacy, Cyber Risk & Data Security

    Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:

    • Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
    • Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
    • Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.

    If enacted in its current form, the bill would take effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection COPPA State Attorney General Enforcement

    Share page with AddThis
  • Collection agency must pay $100,000

    On January 10, the Connecticut Department of Banking (Department) issued an order against a California-based collection agency (respondent) for failing to request a hearing within the prescribed time period after a notice regarding submission of certain information was sent by the Department. According to the order, the Department sent the respondent an information request and after requesting additional time to supply the information, the respondent notified the Department that it was voluntarily surrendering its license to collect in Connecticut. However, the respondent still failed to submit the requested information, which the state said is mandatory before it would consider the surrender of the respondent’s license. The Department ordered the respondent to cease and desist from violating Section 36a-17(e) of the Connecticut General Statutes and to pay a $100,000 civil money penalty. The Department also revoked the respondent’s license to act as a consumer collection agency in Connecticut.

    Licensing State Issues Connecticut State Regulators Enforcement

    Share page with AddThis
  • Creditor must pay fine for collecting debts under a different name

    Recently, the Connecticut Department of Banking entered into a consent order with a North Carolina-based company resolving allegations that it violated Connecticut collection practices laws and regulations by allegedly using a name other than the company’s legal name when collecting unpaid debts without a Connecticut consumer collection agency license. The Department’s investigation stemmed from a newspaper article in which a Connecticut resident complained that he received bills from a company in an attempt to collect $314 for a Covid-19 test. The company responded to the Department’s inquiry by stating that a collection agency license was not required because the collections were made by an in-house division of the company, and not on behalf of a third party. The company also cited cases in which federal courts dismissed similar allegations under the federal FDCPA. After an investigation, the Department alleged that the company constituted as a “creditor” and by using a different name, was in violation of the Regulations of Connecticut State Agencies, “which prohibits the use of any business, company or organization name other than the true name of the creditor’s organization.” The consent order requires that the company pay a civil money penalty of $10,000 and that the company cease and desist from using any name other than its true legal name to collect debts.

    Licensing State Issues Connecticut Enforcement Debt Collection FDCPA

    Share page with AddThis
  • Connecticut Department of Banking extends work from home guidance for licensees

    State Issues

    On March 1, the Connecticut Department of Banking issued a memorandum extending through June 30, 2021, its no-action position (previously discussed herehere, and here) with respect to various licensees temporarily working from home during Covid-19, provided that certain criteria set forth in the memorandum are met.

    State Issues Covid-19 Connecticut Licensing

    Share page with AddThis

Pages

Upcoming Events