Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS encourages regulated entities to prepare for cyber attacks

    State Issues

    On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure quick responses to any suspected cyber incidents. Specifically, NYDFS recommends that regulated entities (i) patch/remediate all vulnerabilities (especially publicly disclosed vulnerabilities); (ii) ensure employees are adequately able to handle phishing attacks; (iii) “fully implement multi-factor authentication”; (iv) “review and update disaster recovery plans”; (v) and quickly respond to further alerts from the government or other reliable sources, even outside regular business hours. The letter notes that NYDFS’ cyber regulation 23 NYCRR 500.17 (previously covered by InfoBytes here), requires regulated entities to notify NYDFS “‘as promptly as possible but in no event later than 72 hours’ after a material cybersecurity event.”

    State Issues State Regulators NYDFS Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • California DBO denies point-of-sale lending license application; issues related guidance

    State Issues

    On December 30, the California Department of Business Oversight (DBO) announced the denial of a Minnesota-based point-of-sale company’s application to make loans under the California Financing Law (CFL) after determining the company had already been making unregulated loans to California consumers in violation of the CFL. According to the DBO’s Statement of Issues, the fintech company offers a product that allows consumers to enter into small installment loans in order to make online purchases at participating merchants. The company contended that it purchases credit sale contracts from merchants selling goods to consumers, and argued that these types of purchases do not qualify as loans subject to the CFL. However, following a review of the company’s application and products, the DBO concluded that the company structured its merchant partners’ purported credit sales to evade otherwise applicable consumer protections. Moreover, the DBO stated in its press release that the company’s “extensive role in its merchants’ transactions and pre-existing relationship with some consumers who were parties to the purported credit sales showed that [the company] was making loans under California law.” According to the decision, “[e]xtensive third-party involvement in the underlying credit sale may cause transactions to be deemed loans, regardless of form . . . even if the underlying credit sale is bona fide” (italics in original).

    The DBO also issued a separate legal opinion advising a different, unidentified lender that its deferred payment products meet the Civil Code and case law definition of “loans” and therefore require a CFL license to be offered in the state. Among other things, the DBO argued that it is unclear as to why the lender’s products—which the lender claims “are not loans but similar to a forbearance”—would be exempt from the CFL, reiterating that loans and forbearances are both subject to usury provisions. The DOB noted that point-of-sale financing transactions may meet the definition of a loan when: (i) the transactions are treated like loans by the consumer, merchant, and third-party financer, “despite contradictory language in the applicable contracts”; (ii) there is an extensive relationship between the merchant and third-party financer; (iii) disclosures are not clearly made to the consumer about the role of the third-party financer and all financing terms; and (iv) “the financing transaction is not otherwise regulated.”

    State Issues State Regulators Licensing Fintech CDBO

    Share page with AddThis
  • New York extends consumer protections for vehicle leases

    State Issues

    On December 23, the New York governor signed S 3631, which amends the state’s insurance law to increase protections for New York consumers from unplanned charges at the end of a motor vehicle lease. The definition of “service contracts” is broadened to cover more comprehensive service contracts on motor vehicles leased for personal use. Service contracts covered by the law will now include agreements that apply to accidental damage and excess use and wear and tear, including missing parts of the vehicle, and items not covered by a warranty or other service agreement, as long as such services do not exceed the purchase price of the automobile. The law became effective when signed.

    State Issues Auto Finance Auto Leases State Regulation Consumer Protection Service Contracts

    Share page with AddThis
  • Internet provider and states agree to nearly $12.5 million for false advertising, hidden fees

    State Issues

    On December 19, the Colorado attorney general announced that an internet service provider (ISP) agreed to pay nearly $8.5 million in order to resolve allegations that it “unfairly and deceptively charg[ed] hidden fees, falsely advertis[ed] guaranteed locked prices, and fail[ed] to provide discounts and refunds it promised” to Colorado consumers in violation of the Colorado Consumer Protection Act. According to the announcement, in 2017 the AG’s office investigated the ISP and compiled information that the ISP had “systematically and deceptively overcharged consumers for services” since 2014 (see the complaint filed by the AG here). In the settlement, the ISP agreed to an order that requires it, among other things, to (i) refrain from making false and misleading statements to consumers in the marketing, advertising and sale of its products and services; (ii) accurately communicate monthly base charges as well as one-time fees, taxes, and other fees and surcharges to consumers; (iii) disclose any “internet cost recovery fee” or “broadband recovery fee” to consumers being charged the fees and allow the affected consumers to switch to different services if they wish to avoid the fees; (iv) refrain from charging an “internet or broadband cost recovery fee” on new orders; and (v) provide refunds to customers who were overcharged for services and to those customers who did not previously receive discounts that the ISP promised.

    In a separate action, on December 31, the Oregon attorney general’s office announced that it entered into a $4 million Assurance of Voluntary Compliance with the same ISP to resolve similar claims of deceptive acts and practices in the advertising, sale, and billing of the ISP’s internet, telephone and cable services in violation of the Oregon Unlawful Trade Practices Act. According to the announcement, the Oregon DOJ started an investigation of the ISP in 2014 for allegedly “misrepresenting the price of services, failing to inform consumers of terms and conditions that could affect the price, and billing consumers for services they never received.” The ISP agreed to requirements that are very similar to those in the Colorado settlement. The announcement notes that the “Oregon DOJ will continue to lead a separate securities class action lawsuit arising from the same conduct.”

    State Issues Courts State Attorney General Consumer Protection Settlement Advertisement Fees Enforcement

    Share page with AddThis
  • California Court of Appeal: Borrowers allowed opportunity to cure default on missed loan modification payments

    Courts

    On December 16, the California Court of Appeal for the First Appellate District allowed borrowers who missed payments on their modified mortgage loan to reinstate the loan and avoid foreclosure by paying the amount in default under the terms of the modified loan, rather than the amount that would have been in default under the original loan terms. According to the court, the borrowers missed four monthly payments on their modified loan, which had deferred certain amounts due on the original loan (including principal). The loan-modification agreement stated that any future default would allow the lender to void the loan modification and enforce the original loan terms. According to the lender, in order to reinstate their account and avoid foreclosure, the borrowers would have to pay the amount that would have been past due on the original loan principal before the loan was modified, plus the four missed monthly payments, associated late charges, and fees and costs. The borrowers filed suit, alleging violations of California Civil Code §§ 2924c and 2953. Section 2924c overrides typical mortgage acceleration clauses to give the borrower the right to cure a default by paying the amount in default rather than the entire principal balance, plus specified fees and expenses. Section 2953 provides that the right of reinstatement created by § 2924c cannot be waived in “[a]ny express agreement made or entered into by a borrower at the time of or in connection with the making of or renewing of any loan secured by a deed of trust, mortgage, or other instrument creating a lien on real property.”

    The Court of Appeal reversed the trial court’s grant of summary judgment to the lender. It held that the loan modification at issue was “appropriately viewed as the making or renewal of a loan secured by a deed of trust . . . and is thus subject to the anti-waiver provisions of Section 2953.” Therefore, the court held that the lender had failed to show that the borrowers “could not prevail on their claim” that the lender violated § 2924c and was accordingly not entitled to summary judgment, and remanded the matter to the trial court.

    Courts State Issues Appellate Mortgages Foreclosure

    Share page with AddThis
  • NYDFS directs financial institutions to submit LIBOR transition risk management plans

    State Issues

    On December 23, NYDFS issued an Industry Letter (Letter) directing its regulated depository and non-depository institutions, insurers, and pension funds to outline their plans for managing the risks associated with the potential impact of LIBOR’s likely cessation at the end of 2021. NYDFS seeks assurance that regulated institutions’ board of directors and senior management fully understand the associated risks, have developed appropriate plans, and have initiated actions to facilitate transition to an alternative reference rate. The Letter does not mandate use of any particular alternative rate, but notes that “the Alternative Reference Rates Committee . . ., convened by the FRB and the [Federal Reserve Bank of New York (FRBNY)], has chosen [the Secured Overnight Financing Rate published by the FRBNY] as its recommended alternative to U.S. dollar LIBOR.” The Letter requires NYDFS-regulated institutions to describe: (i) programs that will assess financial and non-financial transition risks; (ii) “processes for analyzing and assessing alternative rates, and the potential associated benefits and risks of such rates both for the institution and its customers and counterparties”; (iii) processes to communicate with customers and counterparties; (iv) plans and processes for “operational readiness, including related accounting, tax and reporting aspects of [the] transition” from LIBOR; and (v) their governance framework, including oversight by an institution’s board of directors or its equivalent governing authority. Institutions are required to submit their transition-risk management plans to NYDFS by February 7.

    State Issues State Regulators LIBOR SOFR NYDFS Risk Management

    Share page with AddThis
  • Bank and Philadelphia reach $10 million settlement in redlining suit

    State Issues

    On December 16, a national bank and the city of Philadelphia agreed to a $10 million settlement in a fair lending suit filed against a national bank in 2017 in the U.S. District Court for the Eastern District of Pennsylvania. The settlement resolves claims against the bank alleging violations of the Fair Housing Act, as previously covered in InfoBytes. Specifically, the city alleged that the bank engaged in discriminatory mortgage lending practices by placing minority borrowers in loans with less favorable terms than loans to similar non-minority borrowers. According to the complaint, these allegedly discriminatory loans increased foreclosure rates and resulted in falling property values, particularly in minority and low-income neighborhoods in Philadelphia. The empty properties and lower property values in turn reduced tax revenues and increased costs to the city to pay for municipal services including police, fire fighting, housing programs, and also maintenance for the growing number of empty properties. The court had previously denied the bank’s motion to dismiss, (prior InfoBytes coverage here), which argued, among other things, that the city had failed to show that the bank’s alleged lending practices were the proximate cause of the city’s harm.

    State Issues Courts Fair Housing Act Mortgage Origination Settlement Redlining Fair Lending

    Share page with AddThis
  • Pennsylvania reaches settlement with travel websites over data breach

    State Issues

    On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.

    State Issues State Attorney General Settlement Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Hospitality company's bid to dismiss data breach suit rejected

    Courts

    On December 13, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss a data breach suit brought by the City of Chicago. According to the city’s complaint, the company violated the Illinois Consumer Fraud and Deceptive Business Practices Act by, among other things, allegedly failing to (i) “protect Chicago residents’ personal information”; (ii) implement and maintain reasonable security measures; (iii) disclose that it did not maintain reasonable security measures; and (iv) provide “prompt notice” of the breach to Chicago residents. According to the opinion, the city had established standing to sue the company because it adequately alleged injury to its municipal interests. Additionally, the court rejected the company’s assertion that the suit is unconstitutional under the Illinois Constitution, stating that the consumer protection ordinance the company was alleged to have violated “addresses a local problem, making it a legitimate exercise of the City’s home rule authority” under the state’s constitution. The company had released a statement in November 2018, which is at the center of the city’s action, stating that the breach was discovered in September 2018, had exposed personal information from 500 million guests, and been ongoing since 2014.

     

    Courts Privacy/Cyber Risk & Data Security State Issues State Regulation Consumer Protection Data Breach

    Share page with AddThis
  • District Court’s reversal of jury verdict in FDCPA case overturned

    Courts

    On December 12, the U.S. Court of Appeals for the Fifth Circuit reversed the district court’s ruling overturning a jury verdict in favor of the consumer for a debt collection company’s (company) violation of the FDCPA and the Texas Fair Debt Collection Practices Act (Texas Act). The consumer sued the company claiming that after she sent the company a letter disputing a debt, the company failed to report to the credit bureaus that the debt was “disputed.” At trial, the jury awarded the consumer $61,000 for the company’s alleged FDCPA and Texas Act violations. Afterwards, the district court granted the company’s post-trial motion for judgment as a matter of law, overturned the jury’s verdict, and dismissed the case, ruling that the consumer failed to provide evidence that the disputed debt was a consumer debt.

    On appeal, the 5th Circuit held that it is within the jury’s discretion to make credibility determinations and that it was permissible for the jury to credit the consumer’s testimony about the consumer nature of the debt—a determination which cannot be disturbed unless it is impossible that the testimony is true. In addition, the appellate court noted that the jury has discretion to draw inferences and that it reasonably inferred that the disputed debt was, in fact, a consumer debt, as the consumer claimed.

    Courts Appellate Fifth Circuit State Issues FDCPA Debt Collection Credit Ratings Credit Report Credit Scores

    Share page with AddThis

Pages

Upcoming Events