InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado enacts insurance proceeds disbursement requirements for mortgage servicers
On May 20, Colorado enacted HB24-1011 (the “Act”), which predominantly addressed mortgage servicers’ disbursement of insurance proceeds.
The Act states that, upon the borrower’s request, mortgage servicers must disclose the specific conditions under which the servicer will disburse insurance proceeds in the event that the underlying property was damaged and an insurance company paid proceeds to satisfy the claim. Among other requirements, if the borrower is not delinquent or was less than thirty-one days delinquent in respect of his or her mortgage payments, the borrower is responsible for creating a repair or rebuild plan for the mortgaged property and submitting such plan to the mortgage servicer for approval. In turn, the mortgage servicer is responsible for approving or denying a plan within thirty days of receipt. Additionally, the borrower is entitled to reimbursement of certain advance payments made to a contractor or to purchase materials for the repair or rebuild. The Act outlines a different process if a borrower is more than thirty-one days delinquent on a mortgage payment. The Act provides for additional details regarding the disbursement of proceeds, including the amounts of disbursement.
Additionally, the Act provides that (1) mortgage servicers must disclose, among other items of information, the mortgage interest associated with mortgages upon the commencing of servicing and thereafter as the request of the borrower, and (2) a mortgage servicer must keep all communications with a borrower for at least four years. The Act became effective upon passage.
Minnesota amends list of deceptive practices to include hidden fees
On May 20, the Governor of Minnesota approved HF 3438 (the “Act”) which rewrote two sections of Minnesota’s statutes to 1) redefine the scope of engaging in a deceptive trade practice, and 2) indemnify certain exemptions. Under the revised statute, in Minnesota, a person will engage in a deceptive trade practice when it lists the price of a good or service but does not include all mandatory fees or surcharges. Further, a mandatory fee will include, but is not limited to, a fee that must be paid in order to purchase the goods or services advertised, was not reasonably avoidable by the consumer, or that would be reasonably expected in the purchase of a good or service. A mandatory fee would not include taxes imposed by a government entity. When a consumer would complete a purchase on a delivery platform, the delivery platform must display “in a clear and conspicuous manner” any additional flat fees or percentages which are charged for that purchase. Upon checkout, the delivery platform must display the subtotal and any additional fees added to the total cost. The second amended section referred to exemptions related to lawful fees in association with the purchase or lease of an automobile from a dealership. The Act will go into effect on January 1, 2025.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
Maryland enacts new powers for regulators to examine third parties
On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.
Connecticut becomes latest state to ban medical debts in credit reporting
On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.
NYDFS releases its Cybersecurity Program Template
On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval.
Maryland updates prohibited items reported on consumer credit reports
On May 9, the Governor of Maryland approved SB 41 (the “Act”) which will change the requirements on prohibitions for consumer reporting agencies as to what information they may include in consumer credit reports.
The Act will prohibit consumer reporting agencies from reporting bankruptcies more than 10 years before the credit report would be issued, suits and judgments of more than seven years, paid tax liens greater than seven years, accounts placed for collection of more than seven years, arrest records or other crime reports of greater than seven years, and “any other adverse information that predates the report” by more than seven years. These reporting prohibitions do not apply to credit transactions with a principal amount of at least $150,000, as well as both the underwriting of life insurance with a face value of at least $150,000 or the employment of someone with a salary of at least $75,000. The Act will go into effect on October 1.
Tennessee amends consumer debt proceeding requirements and garnishment exemptions
On May 3, the Governor of Tennessee signed into law HB 2320 (the “Act”), which will amend pleading requirements for consumer debt suits and garnishment exemptions. The Act would require that, in a civil suit or arbitration requesting judgment on a consumer debt, the plaintiff creditor would provide the following in the initial pleading: (i) if the debtor’s agreement does not exist, then provide written evidence of the debtor’s agreement or a document provided to the debtor while the account was active; (ii) a statement that the debt has been transferred or assigned; (iii) the date of the transfer or assignment; (iv) the name of any prior holders of the debt; and (v) the name or a description of the original creditor. Additionally, the Act will amend Tennessee’s garnishment provisions to automatically exempt them from execution, seizure, or attachment funds up to $2,500 in a debtor’s deposit account with a bank or financial institution. The Act will go into effect on July 1.
Georgia amends provisions for telemarketing provisions for defendants
On May 6, Georgia enacted SB 73 (the “Act”), which amends, among other things, Georgia’s telemarketing laws. The Act clarifies that no person or entity can make or cause any telephone solicitation violations, now on behalf of another person or entity, and sets forth that there is a private right of action against violators. The Act also amends the damages to be the actual monetary loss for each violation or a violation up to $1,000 in damages, whichever is greater. However, if a class action lawsuit is brought under the Act, the $1,000 in statutory damages would not apply. The Act further provides that ignorance would not be a valid defense if a defendant did not make or was not aware how a telephone solicitation violated applicable laws. However, it is defensible if the defendant had established policies and procedures to prevent violations, and enforced such procedures, or if a phone number was provided in error so long as the defendant did not have any knowledge of the mistake.