Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI, Fed to oversee bank’s self-liquidation
On June 1, the California Department of Financial Protection and Innovation (DFPI) announced that it issued a joint cease-and-desist order with the Federal Reserve Board to fulfill the voluntary liquidation of a crypto-friendly bank. Focusing on providing financial services in the crypto-asset industry, the bank began operating in 2013. In 2023, however, the bank announced its voluntary liquidation, following a mass exodus of high-profile clients. In the fourth quarter of 2022, the bank experienced a sudden drop in deposits, triggered by the collapse of a crypto-exchange company in the previous quarter. DFPI noted that in its most recent examinations of the bank, the bank showed deficits in security and compliance with regulations. Within 10 days of the order, the bank must submit a voluntary self-liquidation plan acceptable to DFPI and upon approval, must implement that plan to wind down its operations “in a safe and sound manner and in compliance with all applicable federal and state laws, rules, and regulations.” The bank has advised that the liquidation will include full repayment of all of its deposits.
Florida tightens restrictions on phone and text solicitations
On May 25, the Florida governor signed HB 761 (the “Act”) to clarify notice requirements relating to telephone and text message solicitations and to outline conditions under which certain civil actions may be brought. Specifically, the amendments provide that “unsolicited” telephone sales calls involving an automated system used to select and dial numbers or one that plays a recorded message cannot be made without the prior express written consent of the called party. Consent may now be obtained by a consumer “checking a box indicating consent or responding affirmatively to receiving text messages, to an advertising campaign, or to an e-mail solicitation.”
The Act also clarifies that before the commencement of a civil action for damages for text message solicitations, the called party must reply “STOP” to the number that sent the message. The called party may bring an action only if consent is not given and the telephone solicitor continues to send text messages 15 days after being told to cease. The new requirements apply to any suit filed on or after the Act’s immediate effective date, as well as to any putative class action not certified on or before the effective date of the Act. The Act became effective immediately.
District Court preliminarily approves $2.7 million FCRA settlement
On June 1, the U.S. District Court for the Eastern District of California preliminarily approved a class action settlement, which would require a corporate defendant to pay $2.7 million to resolve allegations that it provided false information on credit reports to auto dealers. The defendant sells credit reports to auto dealers to help dealers manage their regulatory compliance obligations, the order explained, noting that one of these obligations prohibits dealers from engaging in business with anyone designated on the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list. The SDN list is comprised of persons and entities owned or controlled by (or acting for or on behalf of) a targeted company, or non-country specific persons, who are prohibited from conducting business in the U.S. The defendant would flag a consumer as an “OFAC Hit” if it matched a name on the SDN list.
The order explained that when using a “similar name” algorithm script to run the consumer’s name against the SDN list to check for a match, the defendant only ran first and last names and did not input other available information such as birth dates and addresses. The lead plaintiff filed a putative class action pleading claims under the FCRA and California’s Consumer Credit Reporting Agencies Act, alleging his name inaccurately came up as an OFAC hit on a credit report sold to an auto dealer. In turn, the plaintiff was denied credit and suffered emotionally, later learning that the defendant incorrectly matched him with an SDN. According to class members, the defendant failed to follow reasonable procedures to assure maximum possible accuracy when matching consumer information and failed to provide, upon request, all information listed in a consumer’s file. Moreover, the lead plaintiff claimed the defendant failed to investigate the disputed OFAC-related information sold to the dealer. The defendant moved for summary judgment on the premise that it was not acting as a consumer reporting agency and that OFAC check documents were not consumer reports, but the court denied the motion and later certified the class. If finalized, the settlement would provide $1,000 to each of the class members, attorneys fees and costs, and a service award to the lead plaintiff.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
NYDFS calls its virtual currency framework the “gold standard”
On May 25, NYDFS Superintendent Adrienne Harris testified before the New York assembly to address the regulation of virtual currency in the state. Harris highlighted the value and “gold standard” set by NYDFS’s virtual currency regulatory framework. She detailed how novel risks in that landscape were met with subsequential growth of the virtual currency unit since her arrival, including the addition of 50 professionals and a range of seasoned experts to streamline enforcement investigations.
In her testimony, Harris also voiced how the framework responsibly supports innovation for entities engaging primarily in virtual currency activities, leveraging their licensing (BitLicense) and chartering (the limited purpose trust company charter) regimes, whereas other states license virtual currency entities only as money transmitters. Adding on, she specified how NYDFS’s customized approach continues after approval, specifically, “NYDFS creates a detailed supervisory agreement that is tailored to the specific risks presented by the company’s business model. Licensed and chartered entities also are subject to ongoing supervision and are regularly examined for compliance with broadly applicable virtual currency regulations and other rules, as well as with their supervisory agreements.” The development of these tools, among other safeguards, is demonstrative of NYDFS’ focus on addressing the inherently high-risk nature of virtual currency business activity with respect to illicit transactions, she noted.
Harris further clarified that secure, customized regulatory requirements, as outlined in the framework, coupled with transparency, ushers in more business for the state, especially in the case of crypto startups. Further, other regulators, jurisdictions, and economic development agencies are seeking to replicate the framework, Harris commented, as consumer protection is not only achieved as outlined in the law, but by regulators that are able to move at a faster pace than the former.
New York reaches settlement with medical management company over patient data
On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s investigation, the company implemented a new version of its software in January 2019, but allegedly failed to conduct a series of security tests and scans that could have identified any security problems. Further, the private information maintained by the company was not encrypted. Notably, information for 13 consumers was apparently discovered on the dark web days after the hack. The investigation concluded that the company, amongst the 28 areas where they failed to maintain reasonable data security practices to protect patients’ private and health information, allegedly failed to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers. Under the terms of the assurance of discontinuance, the company, while neither admitting or denying the allegations, agreed to pay $550,000 in penalties, and will improve its data security practices and offer affected customers free credit monitoring services.
Texas amends breach notification requirements
On May 27, the Texas governor signed SB 768 to amend the state’s data breach notification statutes. The Act requires entities to notify the attorney general “as soon as practicable” and not later than 30 days after the date a computerized security system breach occurs involving at least 250 Texas residents. The Act now details that notification must be submitted electronically using a form accessible through the attorney general’s website. No substantive changes were made to the required information within the form. The Act is effective September 1.
Minnesota enacts small-dollar consumer lending and money transmitter amendments; Georgia and Nevada also enact money transmission provisions
On May 24, the Minnesota governor signed SF 2744 to amend several state statutes relating to financial institutions, including provisions concerning small-dollar, short-term consumer lending, payday lending, and money transmitter requirements. Changes to the statutes governing consumer small loans and consumer short-term loans amend the definition of “annual percentage rate” (APR) to include “all interest, finance charges, and fees,” as well as the definition of a “consumer short-term loan” to mean a loan with a principal amount or an advance on a credit limit of $1,300 (previously $1,000). The amendments outline certain prohibited actions and also cap the permissible APR on a loan at no more than 50 percent and stipulate that lenders are not permitted to add other charges or payments in connection with these loans. The changes apply to loans originated on or after January 1, 2024. The amendments also make several modifications to provisions relating to payday loans with APRs exceeding 36 percent, including requirements for conducting an ability to repay analysis. These provisions are effective January 1, 2024.
Several new provisions relating to the regulation and licensing of money transmitters are also outlined within the amendments. New definitions and exemptions are provided, as well implementation instructions that provide the state commissioner authority to “enter into agreements or relationships with other government officials or federal and state regulatory agencies and regulatory associations in order to (i) improve efficiencies and reduce regulatory burden by standardizing methods or procedures, and (ii) share resources, records, or related information obtained under this chapter.” The commissioner may also accept licensing, examination, or investigation reports, as well as audit reports, made by other state or federal government agencies. To efficiently minimize regulatory burden, the commissioner is authorized to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors (CSBS), the Money Transmitter Regulators Association, and others, for all licensees that hold licenses in the state of Minnesota and other states. Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The commissioner may also participate in joint examinations or investigations with other states.
With respect to the licensing provisions, the amendments state that a “person is prohibited from engaging in the business of money transmission, or advertising, soliciting, or representing that the person provides money transmission, unless the person is licensed under this chapter” or is a licensee’s authorized delegate or exempt. Licenses are not transferable or assignable. The commissioner may establish relationships or contracts with the Nationwide Multi-State Licensing System and Registry and participate in nationwide protocols for licensing cooperation and coordination among state regulators if the protocols are consistent with the outlined provisions. The amendments also outline numerous licensing application and renewal procedures including net worth and surety bond, as well as permissible investment requirements.
The same day, the Nevada governor signed AB 21 to revise certain provisions relating to the licensing and regulation of money transmitters in the state. The amendments generally revise and repeal various statutory provisions to establish a process for governing persons engaged in the business of money transmission that is modeled after the Model Money Transmission Modernization Act approved by the CSBS. Like Minnesota, the commissioner may participate in multistate supervisory processes and information sharing with other state and federal regulators. The commissioner also has expanded examination and enforcement authority over licensees. The Act is effective July 1.
Additionally, the Georgia governor signed HB 55 earlier in May to amend provisions relating to the licensing of money transmitters (and to merge provisions related to licensing of sellers of payment instruments). The Act addresses licensee requirements and prohibited activities, outlines exemptions, and provides that applications pending as of July 1, “for a seller of payment instruments license shall be deemed to be an application for a money transmitter license as of that date.” Notably, should a license be suspended, revoked, surrendered, or expired, the licensee must, “within five business days, provide documentation to the department demonstrating that the licensee has notified all applicable authorized agents whose names are on record with the department of the suspension, revocation, surrender, or expiration of the license.” The Act is also effective July 1.
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.
Fintech fined over interest charges billed as tips and donations
A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.
The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.
A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.
In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.