Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
The U.S. District Court for the Eastern District of Virginia recently granted an installment lender’s motion to dismiss, ruling that most of the class members’ claims are time-barred by the Military Lending Act’s (MLA) two-year statute of limitations. Plaintiffs are active duty servicemembers who entered into installment loans with the defendant. Claiming four violations of the MLA, plaintiffs alleged the defendant (i) extended loans with interest rates exceeding the MLA’s 36 percent interest rate cap; (ii) extended loans that involved roll overs of prior loans; (iii) required plaintiffs to agree to repayment by allotment (with a backup preauthorized electronic fund transfer) as a condition to receiving a loan; and (iv) required plaintiffs to provide a security interest in their bank accounts as a condition for receiving a loan. Plaintiff sought to certify a class covering the five years preceding the date the complaint was filed. Defendant moved to dismiss, arguing that plaintiffs have only been harmed by technical violations of the MLA and did not suffer a concrete injury. Plaintiffs countered that the defendant’s MLA violations caused them to sustain injuries from making payments, including interest payments, “on loans that were ‘void from [their] inception’  due to their unlawful refinancing, allotment, and security interest requirements.”
The court reviewed a significant issue raised by the parties’ differing interpretations of the MLA’s statute of limitations and its applicability to plaintiffs’ loans. Specifically, the parties disagreed as to whether “discovery by the plaintiff of the violation,” which triggers the two-year limitations period, requires that a plaintiff only discover the facts constituting the basis for the violation, as argued by the defendant, or instead requires that a plaintiff also know that the MLA was violated, as the plaintiffs argued. While acknowledging that the text in question is inconclusive, the court stated that since the MLA “does not require ‘discovery’ of both the ‘violation’ and ‘liability’ but only the ‘violation that is the basis for such liability,’ the text appears to support the interpretation that only discovery of the violative conduct is required, and
not discovery of the actionability of that conduct.” The court also reviewed other federal statutory discovery rules where other courts “have consistently found that ‘discovery’ requires that a plaintiff have knowledge only of the facts constituting the violation and not the legal implications of those facts.” Relying on this, as well as other court interpretations, the court determined that “the two-year limitations period is triggered when a plaintiff discovers the facts
constituting the basis for the MLA violation and not when the plaintiff recognizes that these facts
support a legal claim.” Thus, the court found that most of the loans underlying the claims are time-barred.
However, for loans that fell within the applicable limitations period, the court granted defendant’s motion to dismiss for failure to state a claim, concluding, among other things, that a creditor is not prohibited from taking a security interest in a plaintiff’s bank account by way of a preauthorized electronic fund transfer provided the military annual percentage rate does not exceed the allowable 36 percent (a claim, the court noted, plaintiffs dismissed and did not otherwise address). Moreover, the court determined that plaintiffs failed to allege that the defendant was a “creditor” under the narrower definition used by the MLA in its refinancing and roll-over prohibition or that the defendant’s “characterization of the convenience of repayment by allotment amounted to a misrepresentation or concealment of facts giving rise to plaintiffs’ MLA claim.”
On March 26, the Virginia governor signed HB 1411, which codifies the Virginia Community Development Financial Institutions Fund and creates the Virginia Community Development Financial Institutions Program to carry out the purposes of the fund. Among other things, the program will provide grants and loans to community development financial institutions (CDFIs) and other similar entities in order to fund small businesses, housing development and rehabilitation projects, and community revitalization real estate projects. Qualified recipients must emphasize microfinancing (defined as financing to small businesses in amounts of $100,000 or less) when using program funds. The Department of Housing and Community Development will oversee the fund and the program and is required to report annually on the fund’s use and impact. HB 1411 is effective July 1.
Recently, Virginia and Kentucky enacted measures relating to automatic renewal offers and continuous service offers.
HB 1517 was signed by the Virginia governor on March 27 to amend the Consumer Protection Act in the Virginia code. The amendments provide that all businesses offering automatic renewals or continuous service offers that include a free trial lasting longer than 30 days are required to notify consumers of their option to cancel the free trial within 30 days of the end of the trial period. Providing this notice will avoid obligating a consumer to pay for the goods or services. Failing to timely notify a consumer is a violation of the Virginia Consumer Protection Act. Additionally, a business also violates the statute should it fail “to disclose the total cost of a good or continuous service  to a consumer, including any mandatory fees or charges, prior to entering into an agreement for the sale of any such good or provision of any such continuous service.” HB 1517 is effective July 1.
SB 30 was signed by the Kentucky governor on March 23 to amend state law by adding sections addressing the termination of automatic renewal offers and continuous service officers. Among other things, the new sections define several terms, including “automatic renewal,” “automatic renewal offer terms,” “clear and conspicuous,” “consumer,” and “continuous service.” Businesses are required to provide clear and conspicuous automatic renewal or continuous service offer terms to consumers before the subscription or purchase agreement is fulfilled. Business also must obtain affirmative consent before charging a consumer’s credit or debit account or a consumer’s account with a third party. Additionally, businesses must (i) provide an acknowledgement that includes the terms, the cancellation policy, and information regarding how to cancel in a manner that can be retained by the consumer; (ii) give consumers appropriate mechanisms for cancellation; (iii) provide users who accept an automatic renewal or continuous service online the opportunity to terminate in the same medium; and (iv) provide a notice regarding material term changes. SB 30 outlines exemptions (including contracts entered into prior to the effective date), and states that first-time violators must “provide a prorated refund for the contract subject to an automatic renewal provision from the start of the most recent term to the date on which the business was notified of and corrects the error.” The state attorney general also may bring an action for injunctive and monetary relief against businesses that either fail to provide a prorated refund or where it is a business’s second or subsequent violation. SB 30 is effective January 1, 2024.
On March 26, the Virginia governor signed HB 2389, which permits mortgage lenders and mortgage brokers to allow employees and exclusive agents to work remotely provided certain conditions are met. Requirements to conduct business out of a remote location include: (i) the establishment of written policies and procedures for remote work supervision; (ii) ensuring access to platforms and customer information adheres to the licensee’s comprehensive written information security plan; (iii) the employment of appropriate risk-based monitoring and oversight processes, as well as the agreement from employees or exclusive agents who will work remotely to comply with these established practices; (iv) banning in-person customer interaction at an employee’s or exclusive agent’s residence unless the residence is an approved office; (v) the proper maintenance of physical records; (vi) compliance with federal and state security requirements when engaging in customer interactions and conversations; (vii) access to the licensee’s secure systems via a virtual private network or comparable system with password protection; (viii) the installation and maintenance of security updates, patches, or other alterations; (ix) “the ability to remotely lock or erase company-related contents of any device or otherwise remotely limit access to a licensee’s secure systems"; and (x) the designation of the principal place of business as the mortgage loan originator’s registered location for the purposes of the Nationwide Mortgage Licensing System and Registry record, “unless such mortgage loan originator elects an office as a registered location.” The amendments also add definitions for “office” and “remote location.” The Act is effective July 1.
On March 23, the Virginia governor signed HB 1727, which amends the Virginia code to allow credit unions operating in the commonwealth to engage in virtual currency custody services, provided the credit union “has adequate protocols in place to effectively manage risks and comply with applicable laws and, prior to offering virtual currency custody services, the credit union has carefully examined the risks in offering such services through a methodical self-assessment process.” The amendments stipulate that in order to engage in such services, a credit union must implement effective risk management systems and controls, confirm adequate insurance coverage, and maintain a service provider oversight program.
The amendments further provide that a credit union may offer such services in a fiduciary or nonfiduciary capacity; however, in order to provide virtual currency custody services in a fiduciary capacity, the credit union must first obtain approval from the State Corporation Commission. Commission approval is contingent upon a credit union having sufficient capital structure to support providing such services, credit union personnel being adequately trained to ensure compliance with governing laws and regulations, and that granting such authority is in the public interest. The amendments are effective July 1.
On March 28, the CFPB issued a determination that state disclosure laws covering lending to businesses in California, New York, Utah, and Virginia are not preempted by TILA. The preemption determination confirms a preliminary determination issued by the Bureau in December, in which the agency concluded that the states’ statutes regulate commercial financing transactions and not consumer-purpose transactions (covered by InfoBytes here). The Bureau explained that a number of states have recently enacted laws requiring improved disclosure of information contained in commercial financing transactions, including loans to small businesses. A written request was sent to the Bureau requesting a preemption determination involving certain disclosure provisions in TILA. While Congress expressly granted the Bureau authority to evaluate whether any inconsistencies exist between certain TILA provisions and state laws and to make a preemption determination, the statute’s implementing regulations require the agency to request public comments before making a final determination. In making its preliminary determination last December, the Bureau concluded that the state and federal laws do not appear “contradictory” for preemption purposes, and that “differences between the New York and Federal disclosure requirements do not frustrate these purposes because lenders are not required to provide the New York disclosures to consumers seeking consumer credit.”
After considering public comments following the preliminary determination, the Bureau again concluded that “[s]tates have broad authority to establish their own protections for their residents, both within and outside the scope of [TILA].” In affirming that the states’ commercial financing disclosure laws do not conflict with TILA, the Bureau emphasized that “commercial financing transactions to businesses—and any disclosures associated with such transactions—are beyond the scope of TILA’s statutory purposes, which concern consumer credit.”
On January 24, the U.S. Court of Appeals for the Fourth Circuit concluded that a district court did not abuse its discretion when certifying a class action. The lawsuit alleges an individual who orchestrated an online payday lending scheme violated the Racketeer Influenced and Corrupt Organization Act (RICO), engaged in unjust enrichment, and violated Virginia’s usury law by partnering with federally-recognized tribes to issue loans with allegedly usurious interest rates. (Covered by InfoBytes here.) The plaintiffs alleged the defendant partnered with the tribes to circumvent state usury laws even though the tribes did not control the lending operation. The district court stated that, as there was “no substantive involvement” by the tribes in the lending operation and that the evidence showed that the defendant was “functionally in charge,” the lending operation—which allegedly charged interest rates exceeding Virginia’s 12 percent interest cap—could not claim tribal immunity.
After the district court certified two borrower classes, the defendant appealed, arguing, among other things, that “[b]orrowers entered into enforceable loan agreements with lending entities in which they waived their right to bring class claims against him,” and that “common issues do not predominate so as to permit class treatment in this case.” Specifically, the defendant claimed that his role in the lending operations changed throughout the class period, and that individualized “proof” and “tracing” would be necessary to prove that he “participated in the direction of the affairs of the alleged enterprise” or that he received some portion of each borrower’s interest payments.
On appeal, the 4th Circuit disagreed with the defendant’s assertions. It found no reason to question the district court’s conclusion that the defendant was the “de facto” head of the lending operations throughout the class period. “And the fact that [the defendant] served as the ‘de facto head’ of the lending operations for the entire class period supports the district court’s determination that the Borrowers will be able to use common proof to show that [the defendant] ‘participated in the direction of the’ lending operations such that common questions predominate over individual questions[,]” the appellate court stated. The 4th Circuit further concluded that the “record supports the district court’s conclusion that [the defendant] lied when he said he was never involved in receiving or demanding payments on [the lending operation’s] loans.”
On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1.
HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
HB 381 amends VCDPA provisions related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
On April 11, the Virginia governor signed HB 78, which relates to automatic renewal or continuous service offers to consumers. The bill, among other things, requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. Under the Virginia Consumer Protection Act, the bill establishes that failing to make available such option to cancel is prohibited. The bill is effective July 1.
On April 8, the Tennessee governor signed HB 1652, which also requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. The bill is effective January 1, 2023.
On April 11, the Virginia governor signed HB 263, which permits banks in the Commonwealth to provide customers with virtual currency custody services “so long as the bank has adequate protocols in place to effectively manage risks and comply with applicable laws.” Before offering virtual currency custody services, banks must conduct a self-assessment process to carefully examine the risks involved in offering such services, which includes: (i) “implement[ing] effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirming adequate insurance coverage for such services; and (iii) maintaining a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services. Banks may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity. If a bank provides such services in a nonfiduciary capacity, the bank will “act as a bailee, taking possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e. “the customer retains direct control over the keys associated with their virtual currency”). Should a bank provide services in a fiduciary capacity, it must “require customers to transfer their virtual currencies to the control of the bank by creating new private keys to be held by the bank.” The bank will have “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” HB 263 takes effect July 1.