InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Minnesota Attorney General settles with tribal company over high interest rates
On February 21, the Minnesota Attorney General announced a settlement with a tribal economic development entity to resolve a 2023 federal lawsuit that alleged the entity’s lending subsidiaries were engaged in predatory lending and illegal interest rates, in violation of Minnesota and federal consumer lending laws. As previously covered by InfoBytes, the complaint claimed that the entity’s lending subsidiaries charged interest rates of up to 800 percent in violation of state statutory caps of eight percent, and led state residents to believe that the entity was exempt from state laws that protect against predatory lending.
Under the terms of the settlement, the entity and its subsidiaries can no longer lend to Minnesota residents nor advertise or market those loans. The settlement also required any loan issued to consumers in Minnesota before the settlement is canceled, except to recover the original principal balance with all past payments to be attributed towards paying down the principal balance.
New York AB 2672 goes into effect and establishes credit card surcharge provisions
Recently, New York AB 2672 (the "Act") was enacted, and went into effect on February 11. The Act requires merchants that impose a credit surcharge fee to clearly and conspicuously post prices inclusive of a surcharge fee. The Act allows merchants to use a two-tier pricing system, in which two different prices display whether a consumer uses a credit card or another form of payment on a transaction. The Act also establishes a civil penalty not to exceed $500 for each violation.
New York State Attorney General wins $77 million judgment against short-term lenders for predatory lending
On February 8, New York State Attorney General (AG) Letitia James announced a more than $77 million judgment against three merchant cash advance (MCA) companies for usury and fraud based on allegations the lenders used short-term loans to charge illegally high-interest and undisclosed fees.
In a June 2020 announcement, Attorney General James detailed her office’s investigation, which concluded that the companies employed practices including (i) extending MCAs to small business owners at illegal interest rates over short durations; (ii) imposing undisclosed fees; (iii) withdrawing excess amounts from merchants’ bank accounts; and (iv) procuring judgments against merchants through the submission of falsified affidavits in New York State courts.
The judgment follows a September 2023 court decision finding violations of New York’s prohibitions against, among other things, usury and predatory lending, and requiring the companies to cease collections and to repay thousands of small businesses the interest they paid. The companies were ordered to provide the full restitution and damages within 60 days to all merchants who entered into MCAs, including refunding all amounts taken from merchants or their guarantors in connection with the MCAs, minus the principal amounts funded to the borrowers. After the companies failed to pay the damages, the AG sought the entry of the monetary judgment from the court.
California appeals court vacates a ruling on enjoining enforcement of CPRA regulations
On February 9, California’s Third District Court of Appeal vacated a lower court’s decision to enjoin the California Privacy Protection Agency (CPPA) from enforcing regulations implementing the California Privacy Rights Act (CPRA). The decision reverses the trial court’s ruling delaying enforcement of the regulations until March 2024, which would have given businesses a one-year implementation period from the date final regulations were promulgated (covered by InfoBytes here).
The CPRA mandated the CPPA to finalize regulations on specific elements of the act by July 1, 2022, and provided that “the Agency’s enforcement authority would take effect on July 1, 2023,” a one-year gap between promulgation and enforcement. The CPPA did not issue final regulations until March of 2023, but sought to enforce the rules starting on the July 1, 2023, statutory date. In response, in March 2023, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The trial court held that a delay was warranted because “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” On appeal, the court emphasized that there is no explicit and unambiguous language in the law prohibiting the agency from enforcing the CPRA until at least one year after final regulations are approved, and that and found that while the mandatory dates included in the CPRA “amounts to a one-year delay,” such a delay was not mandated by the statutory language. The court further found that there is no indication from the ballot materials available to voters in passing the statute that the voters intended such a one-year delay. The court explained that the one-year gap between regulations could have been interpreted to give businesses time to comply, or as a period for the agency to prepare for enforcing the new rules, or there may also be other reasons for the gap.
Accordingly, the appellate court held that Chamber of Commerce “was simply not entitled to the relief granted by the trial court.” As a result of the court’s decision, businesses are now required to commence implementing the privacy regulations established by the agency.
California DFPI proposes new regulations under the Debt Collection Licensing Act
On February 9, the California Department of Financial Protection and Innovation (DFPI) published a proposed rule to adopt new regulations under the Debt Collection Licensing Act (DCLA). Under the DCLA, a debt collector licensee is required to pay the DFPI Commissioner its “pro rata share of all costs and expenses incurred in the administration” of the DCLA, which is calculated in part based on the licensee’s “net proceeds generated by California debtor accounts,” but the term “net proceeds” was not defined in the statute. The proposed rule defines “net proceeds generated by California debtor accounts” to mean “the amount retained by a debt collector from its California debt collection activity.” The proposed rule also specifies the formulas used in calculating the net proceeds depending on the party, including a debt buyer, purchaser of debt that has not been charged off or in default, third-party collector, and first-party collector.
Additionally, the proposed rule requires licensees to file an annual report with the DFPI and specifies the information required in the annual report, including (i) the number of California debtor accounts collected on in the previous year; (ii) the number of California debtor accounts in the licensee’s portfolio as of December 31 of the preceding year; and (iii) the number and dollar amount of California debtor accounts for which collection was attempted, but not successfully collected or resolved during the previous year. Comments to the proposed rule must be submitted by March 27.
Washington State Attorney General wins two suits under medical billing practices
On February 1, the Attorney General from Washington State successfully sued a large healthcare group to pay over $158 million for settlement of funds under the state’s Consumer Protection Act (CPA). The Washington AG stated that the healthcare group violated state law which requires hospital management to notify patients about financial assistance and to screen them for eligibility before trying to collect payment. The healthcare group has been ordered to pay $20.6 million in patient refunds and will forgive $137.2 million in medical debts; it will also pay $4.5 million to cover the attorney general’s costs. Among others, the consent decree includes several injunctions to be engaged in or refrained from for five years, including maintaining charity care policies, and not collecting payment for medical services unless presented with either of two stated stipulations. Lastly, the consent decree states that if the healthcare group violates a condition, it would have to pay up to $125,000 per violation. The defendants do not admit the allegations of the complaints filed in the first lawsuit from February 2022.
Similarly, on February 2 the Washington AG successfully entered into a motion for partial summary judgment against a medical debt collection agency working within the healthcare group for sending 82,729 debt collection notices under the Collection Agency Act (CAA). The court agreed with the AG’s finding that the agency’s debt collection notices failed to make the required disclosures under the CAA. Damages have not yet been awarded.
Connecticut Attorney General reports on Connecticut Data Privacy Act
On February 1, Connecticut’s Attorney General (AG) released a report on the Connecticut Data Privacy Act (CTDPA) including information on the law and how the state enforces it. Enacted in May 2022, the CTDPA is a comprehensive consumer data privacy law which took effect on July 1, 2023. The CTDPA gives consumers in Connecticut a set of rights regarding their personal information and privacy standards for businesses handling such data. Connecticut residents can: (i) see what data companies have on them; (ii) ask for corrections on inaccurate information; (iii) request the deletion of their data; and (iv) choose not to have their personal information used for selling products, targeted advertisements, or profiling. The report noted that within the first six months the CTDPA has been in effect, the AG issued dozens of violations towards a number of information requests. It added that companies generally responded positively to the notices and updated quickly their privacy policies and consumer rights mechanisms. According to the report, while some companies initially went below the CTDPA threshold, they made changes to meet it later while a few went beyond identified areas in the notices by strengthening their disclosures.
The report also mentioned that beginning on January 1, 2025, businesses are required to acknowledge universal opt-out signals, reflecting consumers’ choice to opt out of targeted advertising and the sale of personal data. This mandatory provision was emphasized during Connecticut's legislative process to alleviate the consumer burden, and it has been enacted into law. Finally, the report discusses possible expansions and clarifications to the CTDPA for the legislature to consider.
California Attorney General investigates streaming services for CCPA violations
On January 26, California State Attorney General Rob Bonta announced an investigative initiative by issuing letters to businesses operating streaming apps and devices, accusing them of non-compliance with the California Consumer Privacy Act (CCPA). The focus of the investigation is the evaluation of streaming services’ adherence to the CCPA's opt-out requirements, in particular those businesses that sell or share consumer personal information. The investigation targets businesses failing to provide a direct mechanism for consumers wishing to prevent the sale of their data.
AG Bonta urged consumers to know about and exercise their rights under the CCPA, emphasizing the right to instruct businesses not to sell their personal information. The CCPA grants California consumers enhanced rights regarding the collection, sharing, and disclosure of their personal information by businesses, and compliance responsibilities include responding to consumer requests and providing necessary notices about privacy practices. AG Bonta noted that the right to opt-out under the CCPA mandates that businesses selling or sharing personal data for targeted advertising must facilitate an easy and minimal-step process for consumers to exercise their right. For example, users should be able to easily navigate their streaming service’s mobile application settings to enable the “Do Not Sell My Personal Information” option. The expectation is that this choice remains effective across various devices if users are logged into their accounts when electing to opt-out. Finally, Bonta added that consumers should be given easy access to a streaming service’s privacy policy outlining their CCPA rights.
Texas resolves securities fraud case with decentralized finance lending platform
Recently, a decentralized finance crypto lending platform and its owners (respondents) entered into a settlement agreement with a Texas regulatory agency, resolving an emergency cease-and-desist action brought in June 2023. The Texas State Securities Board alleged that respondents committed securities fraud in connection with the offers and sales of investments, falsely denied the platform’s impending bankruptcy, and “secretly” transferred customer funds to a crypto exchange, as well as offered unregistered securities. Under the terms of the settlement, respondents have agreed to, among other things, (i) inform clients of its plan for asset return within seven days of the settlement and provide a seven-day window for clients to withdraw assets through the app; (ii) continue to provide customer support to prior customers; (iii) pay an administrative fine; and (iv) cease-and-desist from selling unregistered securities in the state without admitting or denying the allegations. Texas also agreed to dismiss its emergency cease-and-desist order as part of the settlement.
Colorado Attorney General fines debt collector $500,000 for collecting on illegal loans
On January 16, the Colorado State Attorney General (AG) reached a settlement agreement with a third-party debt collection company that is ordered to pay $500,000 to the State. The company previously contracted to collect debt from consumers on behalf of unlicensed lending entities associated with Native American tribes, or Tribal Lending Entities (TLEs). According to the settlement agreement, none of the TLEs were licensed Colorado lenders and all of their loan agreements with consumers contained finance charge terms that exceeded the Uniform Consumer Credit Code’s 12 percent finance charge cap on unlicensed lenders—with most having interest rates that exceeded 500 percent APR and some up to 900 percent APR. The AG alleged that, between 2017 and 2022, the company violated the Colorado Fair Debt Collection Practices Act by using “unfair or unconscionable means” to collect on defaulted TLE-issued loans by representing to consumers that the entire loan balance was owed to the TLEs, that the company was legally authorized to collect the payments, and that consumers were legally obligated to pay the full amount. The company denies that its conduct violated any state law and otherwise denies all allegations of wrongdoing. Along with the penalty, the company will be barred from collecting on any debt where the loan’s APR exceeded the 12 percent cap and will provide the State with a list of affected consumers within 30 days.