Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
Indiana enacts Money Transmission Modernization Act
On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.
With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.
The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.
ID verifier to pay $28.5 million to settle BIPA allegations
On May 5, the U.S. District Court for the Northern District of Illinois preliminarily approved an amended class action settlement in which an identification verification service provider agreed to pay $28.5 million to settle allegations that it violated the Illinois Biometric Information Privacy Act (BIPA). According to the plaintiffs, the defendant collected, stored, and or used class members’ biometric data without authorization when they uploaded photos and state IDs on a mobile app belonging to one of the defendant’s customers. After the court denied the defendant’s move to compel arbitration and determined the plaintiff had standing to pursue his BIPA claims, the parties entered into settlement discussions without the defendant admitting any allegations or liability. The court certified two classes: (i) Illinois residents who uploaded photos to the defendant through the app or website of a financial institution (class members will receive $15.7 million); and (ii) Illinois residents who uploaded photos through a non-financial institution (class members will receive $12.8 million). A final approval hearing will determine attorney’s fees and expenses and incentive awards.
Colorado establishes medical debt collection requirements
On May 4, the Colorado governor signed SB 23-093 to cap the interest rate on medical debt at three percent per year. The Act outlines numerous provisions, including that entities collecting on a medical debt must provide a consumer with a written copy of a payment plan within seven days for medical debt that is payable in four or more installments. The Act also outlines requirements for accelerating or declaring a payment plan longer operative, and lays out prohibited actions (such as collecting on a debt or reporting a debt to a consumer reporting agency within a certain timeframe) relating to medical debt that an entity knows, or reasonably should know, is under review or being appealed. An entity that files a legal action to collect a medical debt must provide to a consumer (upon written request) an itemized statement concerning the debt and must allow a consumer to dispute the debt’s validity after receiving the statement. Entities are prohibited from engaging in collection activities until the itemized statement is delivered. The Act outlines self-pay requirements and estimates, and further provides that it is a deceptive trade practice to violate outlined provisions relating to billing practices, surprise billing, and balance billing laws. The Act takes effect immediately and applies to contracts entered into after the effective date.
Oklahoma ties maximum interest on loans to fed funds rate
The Oklahoma governor recently signed SB 794, which increases the maximum loan finance charge for certain loans (i.e., supervised loans under applicable Oklahoma law) by additionally including the federal funds rate published by the Federal Reserve Board. Specifically, a loan finance charge may not exceed the equivalent of the greater of either of the following: the total of (i) 32 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which is $7,000 or less; (ii) 23 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which greater than $7,000 but less than $11,000; and (iii) 20 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which exceeds $11,000; or 25 percent plus the federal funds rate per year on the unpaid balances of the principal. The federal funds rate is defined as the rate published by the Fed that is “in effect as of the first day of each month immediately preceding the month during which the loan is consummated.” Supervised lenders may contract for and receive a loan finance charge not exceeding what is allowed by the Act. The Act is effective November 1.
Indiana becomes seventh state to enact comprehensive privacy legislation
On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.
Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.
The Act takes effect January 1, 2026.
House committee continues federal privacy legislation discussions
On April 27, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information” to continue discussions on the need for comprehensive federal privacy legislation. Subcommittee Chair Gus Bilirakis (R-FL) delivered opening remarks, commenting that the Committee has examined in depth how a federal privacy law is needed to protect Americans and balance the needs of business, government and civil society, what happens when malicious actors exploit access to data, where the FTC’s jurisdictional lines and authority lay and how that interplays with a comprehensive federal privacy law, and the role of data brokers and the lack of protections given to consumers to manage their data.
During the hearing, subcommittee members commented that one of the big debates about the American Data Privacy and Protection Act (ADPPA) as it came out of committee last year was the degree to which it should preempt state laws. There was push back on the bill from former Speaker Nancy Pelosi who was against the proposed preemption measures, as well as from the California attorney general and the California Privacy Protection Agency who expressed similar concerns and asked Congress to “allow states to provide additional protections in response to changing technology and data privacy protection practices.” The ADPPA was advanced through the committee last July by a vote of 53-2 (covered by InfoBytes here) and was sent to the House floor during the last Congressional session but never came up for a full chamber vote. The bill has not been reintroduced yet.
Subcommittee members said that while drafting a comprehensive national data privacy law is a priority, there are a lot of concerns over preemption of state laws. Certain Republican members also commented that it is very important for Congress to create a single national standard before the FTC proposes data privacy rules from its commercial surveillance rulemaking efforts. As previously covered by InfoBytes, FTC Chair Lina M. Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya testified before the same committee in April, during which time they said they are currently reviewing comments on the proposed rulemaking but support federal privacy legislation.
While the ADPPA has not yet been reintroduced, House Financial Services Committee Chairman Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165) earlier this year, which would, among other things, modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape and ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time.
Washington State passes new health data privacy measures
The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.
FTC, Pennsylvania ban debt collection operation
On April 26, the FTC and the Commonwealth of Pennsylvania announced that the U.S. District Court for the Eastern District of Pennsylvania recently entered an order permanently banning a debt collection firm and two associated individuals from the industry. The FTC and Pennsylvania sued the defendants in 2020 for their involvement in a telemarketing operation that allegedly misrepresented “no obligation” trial offers to organizations and then enrolled recipients in subscriptions for several hundred dollars without their consent (covered by InfoBytes here). The complaint charged the defendants with violating the FTC Act by, among other things, illegally threatening the organizations if they did not pay for the unordered subscriptions and claimed the debt collection firm handled collections nationwide despite not having a valid corporate registration in any state and only being licensed to collect debt in Washington State. In addition to permanently enjoining the defendants from participating in the debt collection industry (whether directly or through an intermediary), the court order requires the defendants’ continued cooperation as the case proceeds against the other defendants.