InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California DBO issues cannabis banking guidance
On October 3, the California Department of Business Oversight (DBO) issued guidance for state-chartered financial institutions that serve cannabis-related businesses. The guidance, which is intended to help financial institutions manage risks appropriately, addresses cannabis program governance and compliance with the Bank Secrecy Act (BSA), as well as cannabis banking guidance issued in 2014 by the Financial Crimes Enforcement Network (FinCEN). As previously covered by InfoBytes, FinCEN’s guidance—which includes federal law enforcement priorities still in effect that were taken from a now-rescinded DOJ memo—details the necessary elements of a customer due diligence program, ongoing monitoring and suspicious activity report filing requirements, and priorities and potential red flags. Notably, the DBO states that while it will not bring regulatory actions against state-chartered financial institutions “solely for establishing a banking relationship with licensed cannabis businesses,” it expects all financial institutions to comply with FinCEN’s BSA expectations and guidance to make appropriate risk assessments. The DBO also referred bank examiners to its September Cannabis Job Aid, which is intended to assist with the examination of financial institutions that may be banking cannabis-related businesses.
California cities allowed to form public banks
On October 2, the California governor signed AB 857 to authorize the creation of “public banks” in the state to support local economies, community development, and address infrastructure and housing needs for localities. Under AB 857, public banks are defined as “a corporation, organized as either a nonprofit mutual benefit corporation or a nonprofit public benefit corporation for the purpose of engaging in the commercial banking business or industrial banking business, that is wholly owned by a local agency, as specified, local agencies, or a joint powers authority.”
Among other things, cities who submit applications to the California Department of Business Oversight (DBO) to obtain a certificate of authorization will be required to provide a viability study, as well comply with “[a]ll provisions of law applicable to nonprofit corporations” and obtain deposit insurance through the FDIC. AB 857 also requires “a local agency that is not a charter city to obtain voter approval of a motion to submit an application to the [DBO].” The number of new public bank licenses the DBO is authorized to approve is limited to two per calendar year, with no more than 10 public banks operating at any time. In addition, public banks may only offer products to retail customers through partnerships with existing financial institutions, and are barred from competing with local financial institutions. AB 857 expires seven years after regulations under this law are promulgated.
California addresses robocall spoofing
On October 2, the California governor signed SB 208, the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol network. Specifically, the bill requires TSPs to implement “Secure Telephone Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) protocols or alternative technology that provides comparable or superior capability by January 1, 2021. The bill also authorizes the California Public Utilities Commission and the Attorney General to enforce certain parts of 47 U.S.C. 227, making it unlawful for any person within the U.S. to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
As previously covered by InfoBytes, in June 2019, the FCC adopted a Notice of Proposed Rulemaking (NPRM) requiring voice providers to implement the “SHAKEN/STIR” caller ID authentication framework. The FCC argued that once “SHAKEN/STIR” is implemented, it would “reduce the effectiveness of illegal spoofing and allow bad actors to be identified more easily.”
CSBS seeks comments on money services businesses model law
On October 1, the Conference of State Bank Supervisors (CSBS) issued a request for comments on its Draft Model Law Language for money services businesses (MSBs). According to CSBS, state regulation of MSBs is a primary part of Vision 2020—a state regulator initiative to modernize the regulation of fintech companies and other non-banks by creating an integrated, 50-state system of licensing and supervision. (Previously covered by InfoBytes here.) The model MSB law draft addresses recommendations made by the Payments Subgroup of the Fintech Industry Advisory Panel, and “is based on and overlays the Uniform Money Services Act.” In addition, the draft amends definitions and interpretations that vary between states, and consists of three primary policies: (i) regulations “must sufficiently protect consumers from harm, including all forms of loss”; (ii) regulations “must enable the states’ ability to prevent bad actors from entering the money services industry”; and (iii) regulations “must preserve public confidence in the financial services sector, including the states’ ability to coordinate.” According to the Fintech Industry Advisory Panel, differences in standards and procedures for change in control have created significant administrative burdens, which the working group addressed by standardizing change of control triggers and the definition of control persons. The draft also includes implementation language designed to provide the legal framework to facilitate interstate coordination and the adoption of consistent standards and processes. The proposed language is adapted from current state laws, which focus “on permitting interstate supervision and creating parity between national and state chartered banks.” CSBS notes that using these models will grant states the legal authority to adjust to new products, risks, processes, and technological capabilities in a coordinated manner.
Comment are due November 1.
CFPB and South Carolina take action against loan broker for veteran pension loans
On October 1, the CFPB and the South Carolina Department of Consumer Affairs filed an action in the U.S. District Court for the District of South Carolina against two companies and their owner, alleging that the defendants violated the Consumer Financial Protection Act (CFPA) and the South Carolina Consumer Protection Code (SCCPC) by offering high-interest loans to veterans and other consumers in exchange for the assignment of some of the consumers’ monthly pension or disability payments. The complaint alleges that the majority of the credit offers are brokered for veterans with disability pensions or retirement pensions. The defendants allegedly did not disclose to consumers the interest rates associated with the products, marketing the contracts as sale of payments and not credit offers. The defendants also allegedly did not disclose that the contracts were void under federal and state law, which prohibit the assignment of certain benefits. The Bureau and South Carolina are seeking injunctive relief, restitution, damages, disgorgement, and civil money penalties.
The Bureau’s announcement notes that this is the third action in 2019 related to the marketing or administration of high-interest credit to veterans. As previously covered by InfoBytes, in January 2019, the Bureau settled with an online loan broker resolving allegations that the broker violated the CFPA by operating a website that connected veterans with companies offering high-interest loans in exchange for the assignment of some or all of their military pension payments. Additionally, in August 2019, the Bureau and the Arkansas attorney general announced a proposed settlement with three loan brokerage companies, along with their owner and operator, for allegedly misrepresenting high-interest credit offers to veterans and other consumers as purchases of future pension or disability payments (covered by Infobytes here).
New York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.
Ballot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others
- Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
- Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
- Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
- Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
- Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
- Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
- Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
- Definition of business. The Act revises the definition of “business” to:
- Clarify that the time period for calculating annual gross revenues is based on the prior calendar year;
- Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
- Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
- Provides a catch-all for businesses not covered by the foregoing bullets.
- The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.
If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.
As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.
House Republicans push OCC for Madden regulatory fix
On September 19, 26 Republican members of the House Financial Services Committee wrote to the OCC, urging the agency to update its interpretation of the definition of “interest” under the National Bank Act (NBA) to limit the impact of the U.S. Court of Appeals for the Second Circuit’s 2015 decision in Madden v. Midland Funding, LLC (covered by a Buckley Special Alert here). The letter argues that Madden deviated from the longstanding valid-when-made doctrine—which provides that if a contract that is valid (not usurious) when it was made, it cannot be rendered usurious by later acts, including assignment—and has “caused significant uncertainty and disruption in many types of lending programs.” Specifically, the letter asserts that the decision “threatens bank-fintech partnerships” that may provide better access to capital and financing to small business and consumers. The letter acknowledges the recently filed amicus brief in the U.S. District Court for the District of Colorado by the OCC and the FDIC, which criticized the Madden decision for disregarding the valid-when-made doctrine and the “stand-in-the-shoes-rule” of contract law (previously covered by InfoBytes here), and requests that the OCC prioritize rulemaking to address the issue.
District Court: Law firm's professional debt-collection services exempt from MCPA
On September 17, the U.S. District Court for the District of Maryland partially granted a law firm’s motion for summary judgment in a consolidated debt-collection action concerning alleged violations of the Maryland Consumer Debt Collection Act (MCDCA) and the Maryland Consumer Protection Act (MCPA). The law firm, which collects debts from consumers relating to residential leases, filed breach of contract actions against four plaintiffs seeking damages resulting from residential lease breaches. According to two of the plaintiffs, the law firm violated the FDCPA, the MCDCA, and the MCPA when it charged a 10-percent post-judgment interest rate, 4 percent higher than the applicable statutory rate legally allowed. The other two plaintiffs alleged violations of the FDCPA and the MCDCA. In 2018, following the court’s decision to certify the question of law to the Maryland Court of Appeals, the appeals court found that “a post-judgment interest rate of six [percent] applies” in circumstances where a trial court enters judgment in a landlord’s favor, including damages for unpaid rent and other expenses.
The court first addressed the plaintiffs’ FDCPA claims, ruling that the claims are time-barred as the statute of limitations expired prior to the filing of each plaintiff’s complaint. With regard to the plaintiffs’ MCDCA claim, the court concluded that the law firm’s use of a 10-percent post-judgment interest rate is “the type of unauthorized charge proscribed by the MCDCA,” dismissing the law firm’s argument that the interest rate was a “mistake regarding the amount owed on the underlying debt. . .and that a challenge to the amount of interest owed is a challenge to the validity of the underlying debt.” Additionally, the court denied the law firm’s motion for summary judgment on the MCDCA claim because lack of knowledge “‘does not immunize debt collectors from liability for mistakes of law.’”
However, the court granted the law firm’s motion for summary judgment on the MCPA claim because law firms engaged in professional debt-collection services are exempt from liability under the MCPA, and that exemption does not require a relationship between the parties.
28 state AGs argue CFPB’s debt collection proposal “falls far short”
On September 18, 28 state attorneys general filed a comment letter in response to the CFPB’s Notice of Proposed Rulemaking (NPRM) amending Regulation F to implement the Fair Debt Collection Practices Act (FDCPA) (the “Proposed Rule”), urging the Bureau to reconsider the proposal. As previously covered by InfoBytes, on May 7, the CFPB issued the Proposed Rule, which covers debt collection communications and disclosures and addresses related practices by debt collectors. The comment letter argues that, “on the most critical issues, the Proposed Rule falls far short.” Specifically, the AGs assert that the bright-line call limit would not meaningfully reduce calls for the majority of consumers because the limit is placed on the debt, not on the consumer, which “renders any benefits to consumers illusory.” Moreover, because there is no restriction on the number of electronic communications a debt collector can send, the AGs argue that the Proposed Rule would result in a “barrage of emails and texts, and even social media contacts.” In addition to the concerns on contact, the letter, among other things, argues that the Proposed Rule: (i) should require affirmative consent for contact methods outside of phone or mail, as opposed to the opt-out requirements; (ii) should only allow for electronic delivery of validation notices with E-SIGN Act compliance; (iii) should have a strict-liability standard for collections on time-barred debt; and (iv) should apply to first-party creditors, as well as third-party creditors. Lastly, the letter notes the Proposed Rule fails to address a number of other topics, including the substantiation of debt prior to litigation, debt payment allocation, and the additional challenges faced by servicemembers.