Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Washington enacts robocall measures
On April 20, the Washington governor signed HB 1051 to expand existing provisions regulating robocalls and telephone solicitations and prohibit abusive telephone communications that mislead or harm state residents. In doing so, the Act extends liability to “persons who provide substantial assistance or support in the origination and transmission of robocalls” that violate state law, and prohibits the initiation of unwanted calls to phone numbers listed on the National Do Not Call Registry pursuant to the Telemarketing Sales Rule. Among other things, practices that violate the Act’s provisions will be considered an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the state’s consumer protection act. Injured persons may bring a civil action in Washington superior court to prevent further violations and “shall recover actual damages or $1,000 per violation of this section, whichever is greater.” The Act is effective July 23.
Washington enacts credit repair regulation
On April 20, the Washington governor signed HB 1311 to enact provisions relating to credit repair services performed by a credit services organization. Among other things, the Act outlines new requirements, including that a credit services organization must provide consumers with a monthly statement that details the services performed, as well as “an accounting of any funds paid by a consumer and held or disbursed on the consumer’s behalf and copies of any letters sent by the credit services organization on the consumer’s behalf,” if applicable. Additionally, a credit services organization is prohibited from sending any communications to a consumer reporting agency, creditor, collection agency, or regulatory entity unless the consumer has provided prior written authorization. Credit services organizations must also comply with specified written communication requirements and provide disclosures addressing consumers’ rights to review their files. Modifications to certain provisions relating to notices of cancellation have also been made. The Act is effective July 23.
Kansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions. A covered entity will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements. Additionally, the state bank commissioner is granted the authority to adopt “all rules and regulations necessary to govern and administer the [Act’s] provisions.” The commissioner is also given an assortment of enforcement tools to administer the Act, including: conducting routine examinations; investigating a covered entity’s operations; issuing subpoenas; assessing fines and civil penalties not to exceed $5,000 per violation, as well as investigation and enforcement costs; censuring registered or licensed covered entities; entering into memorandums of understanding or consent orders; revoking, suspending, or refusing to renew the registration or license of covered entities; issuing cease-and-desist orders; filing for injunctions; or issuing emergency orders to prevent harm to consumers. The Act takes effect July 1.
House subcommittee holds hearing on stablecoin regulation
The House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion recently held a hearing to examine stablecoins’ role in the payment system and to discuss proposed legislation for creating a federal framework for issuing stablecoins. A subcommittee memorandum identified different types of stablecoins (the most popular being pegged to the U.S. dollar to diminish volatility) and presented an overview of the market, which currently consists of more than 200 different types of stablecoins, collectively worth more than $132 billion. The subcommittee referred to a 2021 report issued by the President’s Working Group on Financial Markets, along with the FDIC and OCC (covered by InfoBytes here), in which it was recommended that Congress pass legislation requiring stablecoins to be issued only by insured depository institutions to ensure that payment stablecoins are subject to a federal prudential regulatory framework. The subcommittee discussed draft legislation that would define a payment stablecoin issuer and establish a regulatory framework for payment stablecoin issuers, including enforcement requirements and interoperability standards.
Subcommittee Chairman, French Hill (R-AR), delivered opening remarks, in which he commented that the proposed legislation would require stablecoin issuers to comply with redemption requirements, monthly attestation and disclosures, and risk management standards. Recognizing the significant amount of work yet to be done in this space, Hill said he believes that “innovation is fostered through choice and competition,” and that “one way to do that is through multiple pathways to become a stablecoin issuer, though with appropriate protections [to] prevent regulatory arbitrage and a race to the bottom.” He cited reports that digital asset developers are leaving the U.S. for countries that currently provide a more established regulatory framework for digital assets, and warned that this will stymie innovation, jobs, and consumer/investor protection. He also criticized ”the ongoing turf war between the SEC and CFTC” with respect to digital assets, and warned that “[w]hen you have two agencies contradicting each other in court about whether one of the most utilized stablecoins in the market is a security or a commodity, what you end up with is uncertainty.”
Witness NYDFS Superintendent Adrienne A. Harris discussed the framework that is currently in place in New York and highlighted requirements for payment stablecoin issuers operating in the state. In a prepared statement, Harris said many domestic and foreign regulators call the Department’s regulatory and supervisory oversight of virtual currency the “gold standard,” in which virtual currency entities are “subject to custody and capital requirements designed to industry-specific risks necessary for sound, prudential regulation.” Harris explained that NYDFS established “additional regulations, guidance, and company-specific supervisory agreements to tailor [its] oversight” over financial products, including stablecoins, and said the Department is the first agency to provide regulatory clarity for these types of products. She highlighted guidance released last June, which established criteria for regulated entities seeking to issue USD-backed stablecoins in the state (covered by InfoBytes here), and encouraged a collaborative framework that mirrors the regulatory system for more traditional financial institutions and takes advantage of the comparative strengths offered by federal and state regulators. Federal regulators will be able to comprehensively address “macroprudential considerations” and implement foundational consumer and market protections, while states can “leverage their more immediate understanding of consumer needs” and more quickly modernize regulations in response to industry developments and innovation, Harris said.
DFPI cracks down on crypto platforms’ AI claims
On April 19, the California Department of Financial Protection and Innovation (DFPI) announced enforcement actions against five separate entities and an individual for allegedly offering and selling unqualified securities and making material misrepresentations and omissions to investors in violation of California securities laws. According to DFPI, the desist and refrain orders allege that the subjects (which touted themselves as cryptocurrency trading platforms) engaged in a variety of unlawful and deceptive practices, including promising investors high yield returns through the use of artificial intelligence to trade crypto assets, falsely representing that an insurance fund would prevent investor losses, and using investor funds to pay purported profits to other investors. The subjects also allegedly took measures to make the scams appear to be legitimate businesses through the creation of professional websites and social media accounts where influencers and investors shared testimonials about the money they were supposedly making. The orders require the subjects to stop offering, selling, buying, or offering to buy securities in the state, and demonstrate DFPI’s continued crackdown on high yield investment programs.
New York AG releases guide for businesses to protect consumer’s personal information
On April 19, the New York attorney general released a data security guide to help businesses adopt effective data security measures for protecting state residents’ personal information. The guide outlines recommendations for preventing data breaches and securing personal information, and discusses recent data security failures. Recommendations include (i) implementing strong controls for secure authentication; (ii) encrypting sensitive customer information; (iii) ensuring third-party vendors use appropriate, reasonable data security measures to safeguard customer information; (iv) maintaining inventories of assets and locations that contain customer information; (v) implementing effective safeguards to prevent “credential stuffing” attacks where usernames and passwords stolen from other online services are used in an attempt to log in to a customer’s online account; and (vi) notifying customers quickly and accurately when a data breach occurs. The guide is drawn from the AG’s experience in investigating and prosecuting data breaches.
DFPI says escrow trust accounts are not stored value under MTA
The California Department of Financial Protection and Innovation recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) and the Escrow Act related to persons engaging in business as an escrow agency within the state. The redacted opinion letter examines a request from the inquiring company for confirmation that it does not require either an internet escrow agent license or a money transmitter license in the state of California in connection with its proposed business model (details on the model have been omitted). DFPI responded that under the Escrow Law, “it is unlawful for any person to engage in business as an escrow agent within this state except by means of a corporation duly organized for that purpose licensed by the commissioner as an escrow agent.” The definition of an “internet escrow agent,” DFPI explained, was added to Financial Code section 17003, subdivision (b) to mean “any person engaged in the business of receiving escrows for deposit or delivery over the Internet.” DFPI concluded that based on the facts asserted within the request, the inquiring company has not demonstrated that its proposed model is exempt from the Escrow Law.
DFPI further considered whether the inquiring company’s proposed model meets the definition of stored value under the MTA, and whether it qualifies for several exemptions under the statute. DFPI explained that the transactions under consideration are not considered “stored value under the definition in Financial Code section 2003, subdivision (x), because they do not represent a claim against the issuer; rather, the money comes under [the inquiring company’s] possession and control and therefore must be placed in an escrow trust account. “An escrow trust account is not the same as stored value,” DFPI said, adding that since the transaction is not stored value, it is unnecessary to address the remaining arguments regarding the MTA.
North Dakota establishes requirements for residential mortgage servicers
On April 12, the North Dakota governor signed HB 1068, which outlines provisions relating to residential mortgage loan servicers. The Act provides that a person may not engage in residential mortgage loan servicing in the state without being licensed by the commissioner. This applies to servicers, subservicers, or a mortgage servicing rights investor. “A person engages in residential mortgage loan servicing in the state if the borrower resides in North Dakota,” the Act explains. Exempt from licensure are financial institutions, state or federal housing finance agencies, institutions chartered by the farm credit administration, and not-for-profit mortgage servicers. The Act outlines application and fee requirements and specifies financial conditions for applicants and licensees. Large mortgage servicers must also abide by certain corporate governance conditions, including the establishment of a board of directors responsible for oversight and compliance monitoring. These licensees must also obtain external audits and establish risk management programs.
The Act outlines prohibited acts and practices and grants authority to the Department of Financial Institutions to promulgate rules and regulations to enforce the law and power to carry out the provisions, including through orders and injunctions. The commissioner will also oversee the licensure process, including provisions concerning the expiration, renewal, revocation, suspension, and surrender of licenses, and may issue orders suspending and removing residential mortgage loan servicer officers and employees. The commissioner may also conduct investigations and examinations and impose civil money penalties of not more than $100,000 for each occurrence and $1,000 per day for each day that the violation continues after issuance of an order. Licensees may appeal by filing a written notice within 20 days after the assessment of a civil money penalty. The Act is effective August 1.
DFPI proposes new CCFPL modifications on complaints and inquiries
On April 14, the California Department of Financial Protection and Innovation (DFPI) released a third round of modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. DFPI modified the proposed text in December and March (covered by InfoBytes here and here) in response to comments received on the initially proposed text issued last year to implement Section 90008 subdivisions (a) (b), and (d)(2)(D) of the CCFPL (covered by InfoBytes here). Subdivisions (a) and (b) authorize the DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and the DFPI concerning consumer complaints and inquiries, whereas subdivision (d)(2)(D) permits covered persons to withhold certain non-public or confidential information when responding to consumer inquiries.
DFPI considered comments on the most recent proposed modifications and is now proposing further additional changes:
- Amended definitions. The proposed modifications change “officer” to “complaint officer” and expand the definition to mean “an individual designated by the covered person with primary authority and responsibility for the effective operation and governance of the complaint process, including the authority and responsibility to monitor the complaint process and resolve complaints.” References to “officer” have been changed to “complaint officer” throughout.
- Complaint processes and procedures. The proposed modifications make clarifying edits to the requirements for annual notices issued to consumers (disclosures must be provided “in a clear and conspicuous manner”), and specify that complaints pertaining solely to entities not involved in the offering or providing of the financial product or service being reported on should not be included in the number of complaints received.
- Inquiry processes and procedures. The proposed modifications clarify that should an inquirer indicate any dissatisfaction “regarding a specific issue or problem” concerning a financial product or service or allege wrongdoing by the covered person or third party, the inquiry should be handled as a complaint.
Comments are due April 29.
NYDFS to impose supervision fees on virtual currency licensees
On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.