Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Colorado enacts consumer protections for artificial intelligence

    State Issues

    On May 17, Colorado enacted SB 24-205 (the “Act”) concerning consumer protections in interactions with artificial intelligence (AI) systems. The Act requires developers of “high-risk” AI systems—defined as AI systems that make “consequential” decisions relating to education, employment, financial or lending services, housing, or insurance, etc.—to take reasonable care to protect consumers from “any known or reasonably foreseeable risks of algorithmic discrimination” that could arise from the use of such systems. The Act grants the Attorney General (AG) rule-making authority to implement and enforce the associated requirements.

    Beginning in February 2026, developers must provide deployers with comprehensive documentation comprising a general statement of the AI system’s foreseeable uses and known harmful or inappropriate applications, high-level summaries of the training data, known or reasonably foreseeable limitations and risks, the system’s purpose, and its intended benefits and uses. Furthermore, developers must share how the AI system was evaluated for performance and algorithmic discrimination mitigation, the data governance measures applied to its data sets and sources, the intended outputs, the measures taken to mitigate risks, and the guidelines on the proper use and monitoring of the system.

    Developers must share publicly a summary statement on their website or in a public use case inventory summarizing the types of high-risk AI systems that developers have developed or substantially modified and how they manage the potential risks of algorithmic discrimination associated with these systems. Additionally, deployers of high-risk AI systems must notify consumers of a system’s involvement in significant decision making, allow consumers to correct inaccurate personal data, and establish an appeal process for adverse determinations which, if technically feasible, allows for human review. 

    Finally, developers of high-risk AI systems are required to disclose any known or reasonably foreseeable risks of algorithmic discrimination to the AG and all known deployers or other developers of the system. Such disclosure must occur without unreasonable delay and no later than 90 days after a developer becomes aware of the risk. Furthermore, under the Act, the AG has the authority to request documentation or statements from developers to ensure compliance.

    State Issues Colorado Artificial Intelligence State Legislation Consumer Protection

  • Colorado extends and amends law for debt-management service providers

    State Issues

    On May 22, the Governor of Colorado approved HB 1251 (the “Act”) which will extend the regulation of debt-management service providers through September 1, 2035 (without legislative action, the relevant law would have been repealed on September 1 of this year). The Act will require debt-management service providers to provide personal finance management education to consumers and keep records of such education, require settlements between a consumer and creditor to be made in writing, and allow the Colorado Attorney General’s office to use the administrative process (instead of the rulemaking process) to establish reasonable fees to be paid by debt-management service providers. The Act will go into effect 90 days following the adjournment of the state assembly, provided no referendum would be filed.

    State Issues Colorado Debt Management Recordkeeping

  • Colorado enacts insurance proceeds disbursement requirements for mortgage servicers

    State Issues

    On May 20, Colorado enacted HB24-1011 (the “Act”), which predominantly addressed mortgage servicers’ disbursement of insurance proceeds.

    The Act states that, upon the borrower’s request, mortgage servicers must disclose the specific conditions under which the servicer will disburse insurance proceeds in the event that the underlying property was damaged and an insurance company paid proceeds to satisfy the claim. Among other requirements, if the borrower is not delinquent or was less than thirty-one days delinquent in respect of his or her mortgage payments, the borrower is responsible for creating a repair or rebuild plan for the mortgaged property and submitting such plan to the mortgage servicer for approval. In turn, the mortgage servicer is responsible for approving or denying a plan within thirty days of receipt. Additionally, the borrower is entitled to reimbursement of certain advance payments made to a contractor or to purchase materials for the repair or rebuild. The Act outlines a different process if a borrower is more than thirty-one days delinquent on a mortgage payment. The Act provides for additional details regarding the disbursement of proceeds, including the amounts of disbursement.

    Additionally, the Act provides that (1) mortgage servicers must disclose, among other items of information, the mortgage interest associated with mortgages upon the commencing of servicing and thereafter as the request of the borrower, and (2) a mortgage servicer must keep all communications with a borrower for at least four years. The Act became effective upon passage. 

    State Issues Colorado Mortgage Servicing Mortgages Insurance State Legislation

  • Minnesota amends list of deceptive practices to include hidden fees

    State Issues

    On May 20, the Governor of Minnesota approved HF 3438 (the “Act”) which rewrote two sections of Minnesota’s statutes to 1) redefine the scope of engaging in a deceptive trade practice, and 2) indemnify certain exemptions. Under the revised statute, in Minnesota, a person will engage in a deceptive trade practice when it lists the price of a good or service but does not include all mandatory fees or surcharges. Further, a mandatory fee will include, but is not limited to, a fee that must be paid in order to purchase the goods or services advertised, was not reasonably avoidable by the consumer, or that would be reasonably expected in the purchase of a good or service. A mandatory fee would not include taxes imposed by a government entity. When a consumer would complete a purchase on a delivery platform, the delivery platform must display “in a clear and conspicuous manner” any additional flat fees or percentages which are charged for that purchase. Upon checkout, the delivery platform must display the subtotal and any additional fees added to the total cost. The second amended section referred to exemptions related to lawful fees in association with the purchase or lease of an automobile from a dealership. The Act will go into effect on January 1, 2025.

    State Issues Fees Minnesota State Legislation Deceptive UDAP

  • Maryland enacts child consumer protection laws

    Privacy, Cyber Risk & Data Security

    On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.

    Privacy, Cyber Risk & Data Security State Issues Maryland Consumer Protection State Legislation

  • Maryland enshrines its consumer online data privacy act

    Privacy, Cyber Risk & Data Security

    On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.

    The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.

    Privacy, Cyber Risk & Data Security Maryland State Issues State Legislation

  • Maryland enacts new powers for regulators to examine third parties

    State Issues

    On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.

    State Issues State Legislation Maryland Enforcement Fees

  • Connecticut becomes latest state to ban medical debts in credit reporting

    State Issues

    On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.

    State Issues Connecticut State Legislation CFPB Medical Debt Credit Report

  • NYDFS releases its Cybersecurity Program Template

    State Issues

    On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval. 

    State Issues NYDFS Privacy, Cyber Risk & Data Security New York

  • Maryland updates prohibited items reported on consumer credit reports

    State Issues

    On May 9, the Governor of Maryland approved SB 41 (the “Act”) which will change the requirements on prohibitions for consumer reporting agencies as to what information they may include in consumer credit reports.

    The Act will prohibit consumer reporting agencies from reporting bankruptcies more than 10 years before the credit report would be issued, suits and judgments of more than seven years, paid tax liens greater than seven years, accounts placed for collection of more than seven years, arrest records or other crime reports of greater than seven years, and “any other adverse information that predates the report” by more than seven years. These reporting prohibitions do not apply to credit transactions with a principal amount of at least $150,000, as well as both the underwriting of life insurance with a face value of at least $150,000 or the employment of someone with a salary of at least $75,000. The Act will go into effect on October 1.

    State Issues Maryland Credit Report Consumer Reporting Agency Debt Collection


Upcoming Events