Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 10, the U.S. District Court for the Southern District of California denied a national payday lender’s motion to compel arbitration, agreeing with plaintiffs that the arbitration provision in their loan agreement was unenforceable because it was procedurally and substantively unconscionable. According to the opinion, plaintiffs filed a putative class action suit against the payday lender alleging the lender sells loans with usurious interest rates, which are prohibited under California’s Unfair Competition Law and Consumer Legal Remedies Act. The lender moved to compel arbitration asserting that the consumers’ loan agreements contain prohibitions on class actions in court or in arbitration, require arbitration of any claims arising from a dispute related to the agreement, and disallow consumers from acting as a “private attorney general.”
The court first determined that California law applied. It concluded that, while the lender was headquartered in Kansas, the consumers obtained their loans in California, and California “has a materially greater interest than Kansas in employing its laws to resolve the instant dispute,” based on its “material and fundamental interest in maintaining a pathway to public injunctive relief in unfair competition cases.”
The court then determined that the arbitration provision was procedurally unconscionable because, even though the consumers had a 30-day opt-out window, it required them to waive statutory causes of action “before they knew any such claims existed.” Finally, because the provision contained a waiver of public injunctive relief, the court determined it was substantively unconscionable based on the California Supreme Court decision in McGill v. Citibank, N.A (covered by a Buckley Special Alert here). The court rejected the lender’s arguments that McGill was preempted under the Federal Arbitration Act (FAA), noting a 2015 decision by the U.S. Court of Appeals for the 9th Circuit, “effectively controls” the dispute and the 9th Circuit reasoned that a similar state-law rule against waivers was not preempted by the FAA. Lastly, the court held that the unconscionable public injunctive relief waiver provision was not severable from the entire arbitration provision, because the agreement contained “poison pill” language that would invalidate the entirety of the arbitration provision.
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
On June 5, the Nevada governor signed AB 466, requiring the State Treasurer to create a pilot program, authorized to operate from October 1, 2019 through June 30, 2023, for the establishment of one or more closed-loop payment processing systems that enable certain persons to engage in financial transactions relating to marijuana.
The closed-loop payment processing system established under the pilot program must be designed to, among other things: (i) provide marijuana establishments and medical marijuana establishments a safe, secure and convenient method of paying state and local taxes; (ii) prevent revenue from the sale of marijuana from going to criminal enterprises, gangs and drug cartels, and; (iii) prevent lawful financial transactions relating to marijuana from being used as a cover or pretext for unlawful activities. The bill requires the State Treasurer to adopt regulations to carry out the pilot program and requires that the State Treasurer submit a report concerning the pilot program on or before December 1, 2020, and every 6 months thereafter.
On June 6, the Maine governor signed S.P. 275/L.D. 946, which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions stipulate that a customer may revoke his or her consent at any time, and forbid providers from refusing service or charging a penalty or offering a discount based on the customer’s decision to provide or not provide consent. Furthermore, providers must include a “clear, conspicuous and nondeceptive notice at the point of sale,” as well as on the provider’s public website, concerning the provider’s obligations and the customer’s rights. Requirements for safeguarding customers’ personal information are also outlined. The Act applies only to providers operating in Maine that provide Internet access service to customers that are physically located and billed for services received in Maine. The new law will take effect July 1, 2020.
On June 5, the U.S. Court of Appeals for the 9th Circuit affirmed a lower court’s decision to decertify a class of callers claiming their cellphone calls were unlawfully recorded, holding that the class representative lacked standing as to its individual claim. According to the opinion, customers of a concrete supplier alleged that calls placed to a phone system that the company began using in 2009 failed to inform callers that their cellphone calls were being recorded. In 2013, the company changed the recording to state that the calls maybe be “monitored or recorded.” The class representative sought to certify a class of all persons whose calls were recorded between the time that the company started using the call recording system in 2009 to when it updated the recording. The district court initially denied certification under the Federal Rule of Civil Procedure Rule 23’s predominance requirement, and later—after certifying the class based on evidence presented concerning the timing of certain recorded calls—decertified the class for failing to satisfy the “commonality” and “predominance” requirements once the concrete supplier identified nine customers who claimed they had actual knowledge of the recording practice during the class period. In addition, the court concluded that the class representative lacked standing to seek damages on its individual claim or injunctive relief because it lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, which required that it show a concrete or particularized injury as a result of the concrete supplier's alleged violation.
On appeal, the 9th Circuit rejected the class’s argument that it “has standing to appeal the decertification order notwithstanding the adverse judgment against it on the merits” due to the following two exceptions to the mootness doctrine that may permit a class representative to appeal decertification even if its individual claims have been mooted: (i) the class representative “retains a ‘personal stake’ in class certification”; or (ii) “the claim on the merits is ‘capable of repetition, yet evading review,’” even though the class representative has lost “his personal stake in the outcome of the litigation.” The appellate court concluded that “neither of these mootness principles can remedy or excuse a lack of standing as to the representative's individual claims.”
On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.
On May 25, the Maryland governor signed HB 0425, which amends the state’s statute of limitations applicable to certain civil actions relating to unfair, abusive, or deceptive trade practices (UDAP) filed against a mortgage servicer. Specifically, the bill requires that an action filed by a homeowner alleging damages arising out of a UDAP violation shall be filed within the earlier of: (i) 5 years after a foreclosure sale of the residential property; or (ii) 3 years after the mortgage servicer discloses its UDAP violation to the homeowner. The bill is effective October 1.
On May 24, the Oregon governor signed SB 366, which repealed the sunset provision on statutes establishing the conditions under which creditors can offer guaranteed asset protection (GAP) waivers in connection with the sale of an automobile. Chapter 523, Oregon Laws 2015 allows creditors to offer GAP waivers to consumers outside of the regulation of the Insurance Code while specifying certain requirements for offering the waivers. Section 11 of Chapter 523, would have repealed these GAP waiver provisions on January 2, 2020. The bill repeals Section 11, allowing for the GAP waiver provisions to remain in effect. The bill is effective January 1, 2020.
On May 30, the OCC filed a letter with the U.S. District Court for the Southern District of New York notifying the court that it intends to work with NYDFS to issue a proposed final order to the court in the action challenging the OCC’s decision to allow fintech companies to apply for a Special Purpose National Bank Charter (SPNB). As previously covered by InfoBytes, in May, the court denied the OCC’s motion to dismiss, concluding that, among other things, the OCC failed to rebut NYDFS’s claims that the proposed national fintech charter posed a threat to the state’s ability to establish its own laws and regulations, and therefore, the challenge “is ripe for adjudication.” In its letter, the OCC states that while it “disagrees with the Court’s decision, and reserves its right to appeal, it believes that the decision renders entry of final judgment in this matter appropriate.” An entry of final judgment, would allow the OCC to challenge the decision with the U.S. Court of Appeals for the 2nd Circuit.
On May 30, the Oregon Governor signed HB 2089, which, among other things, prohibits title loan and payday loan lenders from making a new loan to a consumer until seven days after the consumer has fully repaid a previous title loan or payday loan. In addition, lenders may not make or renew a title loan or payday loan with an interest rate exceeding 36 percent annually, excluding a one-time allowable origination fee. These amendments apply to loan contracts, including renewals, executed on or after January 1, 2020.
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference