Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 5, the California Department of Financial Protection and Innovation (DFPI) issued a fourth draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. California released the first draft of the proposed regulations in July 2019, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released second and third rounds of modifications in August and October of this year (covered by InfoBytes here, here, here, and here). The fourth modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications amend the term “average monthly cost” to mean the average total amount paid by the recipient (for periodic and irregular payments) over a contract’s term divided by the number of months specified in the contract. Providers may divide the number of days in the contract term by 30.4 to determine the number of months in the contract term. This calculation may also be used to determine the “estimated monthly cost.” Comments on the fourth modifications must be received by November 22.
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiff filed the proposed class action in 2019, alleging the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by collecting thousands of fingerprints through a finger-scanning donor identification system without providing proper disclosures or obtaining informed written consent. The plaintiff further alleged that the defendant required her (and thousands of Illinois blood plasma donors) to provide a fingerprint to donate plasma, which was later used for identification on subsequent visits. The plaintiff alleged that by not requiring her informed consent and by disclosing her information to a third party, the defendant’s practice violated BIPA. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 76,826 Illinois blood plasma donors who were required to scan their finger at the defendant’s Illinois facilities prior to donating plasma. The settlement would provide payouts of approximately $400 to $800 per class member, assuming a claims rate of 10 percent to 20 percent, and permit class counsel to file for up to 35 percent of the settlement fund for attorney fees.
On November 3, NYDFS issued proposed changes to the state’s Community Reinvestment Act (New York CRA) to guarantee the department “has the necessary data to ensure banks are evolving to best serve their communities and protect against redlining and fair lending violations.” The proposed regulation further specifies the type of communities the New York CRA plans to support and will enable NYDFS to evaluate the extent to which minority- and women-owned businesses are offered and provided credit. In June 2020, NYDFS issued an industry letter (covered by InfoBytes here) to alert regulated entities that it planned to make changes to its CRA examination process in response to an amendment to the New York CRA, which required NYDFS to consider “several aspects of banking institutions’ activities with respect to minority- and women-owned businesses.” Among other things, the proposed regulation outlines data collection and submission requirements, including (i) asking whether a business applying for a loan or credit is minority- or women-owned or both; (ii) reporting application details such as the date, type of credit applied for and amount, and whether the application was approved or denied; and (iii) reporting a business’s size and location. Comments will be accepted for 60 days following publication in the State Register.
The New York CRA has undergone several expansions recently. As previously covered by InfoBytes, the New York governor signed legislation on November 1 expanding the New York CRA to cover non-depository lenders. Under the amendments, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review.
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
On November 3, NYDFS announced the creation of the Climate Risk Division and the appointment of Dr. Yue (Nina) Chen as its Executive Deputy Superintendent and the inaugural NYDFS Director of Sustainability and Climate Initiatives. According to the announcement, the Climate Risk Division will, among other things: (i) include climate risks in its regulated entities supervision; (ii) support industry growth regarding climate risk management; (iii) coordinate with international, national, and state regulators; (iv) develop internal capacity regarding climate-related financial risks and support the capacity-building of peer regulators; and (v) ensure access to financial services is fair for all communities.
On October 26, the U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of civil rights claims for lack of standing, holding in an unpublished opinion that the plaintiffs satisfied Article III standing requirements by alleging that a bank discriminated against non-U.S. citizens in barring them from opening accounts online. The plaintiffs, lawful residents with valid Social Security numbers, filed a putative class action complaint claiming the bank allowed U.S. citizens to apply for new checking accounts online, but required the plaintiffs (based solely on their status as non-U.S. citizens) to apply in person at a branch office. The district court dismissed the claims, ruling that the plaintiffs failed to establish standing for their discrimination claims on the basis of citizenship status. The 9th Circuit disagreed, finding that “discrimination itself . . . can cause serious non-economic injuries to those persons who are denied equal treatment solely because of their membership in a disfavored group,” and concluding that the plaintiffs alleged a concrete injury-in-fact sufficient to confer Article III standing. “The fact that [p]laintiffs would have ultimately obtained the same checking account given to U.S. citizens does not vitiate the alleged discriminatory injury: that [the bank] imposes on non-U.S. citizens a requirement to apply in person that it does not impose on others,” the appellate court said. The 9th Circuit added that this injury was directly linked to the bank’s policy and reversed the dismissal but declined to rule on the substance of the claims.
On October 27, the U.S. District Court for the Western District of New York denied a motion to dismiss an action brought by the CFPB and the New York attorney general against the operators of a debt-collection scheme, rejecting the defendants’ argument that they did not have fraudulent intent and their actions were taken for legitimate reasons. As previously covered by InfoBytes in April, the CFPB and the AG filed a complaint against the defendants for allegedly transferring ownership of his $1.6 million home to his wife and daughter for $1 shortly after he received a civil investigative demand and learned that the Bureau and the AG were investigating his debt-collection activities. The complaint further alleged that the transfer of the property was a fraudulent transfer under the FDCPA and made with the intent to defraud (a violation of the New York Debtor and Creditor Law), and that the owner-defendant “removed and concealed assets in an effort to render the Judgment obtained by the Government Plaintiffs uncollectable.” In 2019 the Bureau and the AG settled with the debt collection operation to resolve allegations that the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed (covered by InfoBytes here).
The court denied the defendants’ motion to dismiss, concluding that the CFPB and AG raised sufficient allegations that the debtor’s transfers and mortgage on his property were knowingly fraudulent. The court determined that fraudulent intent under the FDCPA may be determined by several factors, sometimes called “badges of fraud,” including whether “‘the transfer or obligation was to an insider,’ ‘the debtor retained possession or control of the property transferred after the transfer,’ ‘before the transfer was made or obligation was incurred, the debtor had been sued or threatened with suit,’ ‘the value of the consideration received by the debtor was reasonably equivalent to the value of the asset transferred or the amount of the obligation incurred,’ and ‘the transfer occurred shortly before or shortly after a substantial debt was incurred.’” The court held it was reasonable to infer that the defendant was aware “that he would likely face civil prosecution” and judgments “would be beyond his ability to pay.” The court noted that the defendant engaged in transferring a personally significant asset—his $1.6 million residence—to two insiders for nominal consideration, which was considered to be “highly unusual.” Additionally, the defendant alleged that he continued to “’reside at and exercise control over’ the property and is now unwilling or unable to pay off the judgment,” which indicated the conveyance was also part of a sham divorce. Further, the court noted that “the complaint plausibly alleges that the mortgage ‘was not granted in good faith’ and was ‘made with the intent to make it appear that the Property was encumbered.’”
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.