Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Court delays enforcement of California privacy regulations

    Privacy, Cyber Risk & Data Security

    The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.

    The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”

    In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”

    The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.

    Privacy, Cyber Risk & Data Security State Issues Courts California CPRA CPPA Enforcement CCPA

  • Connecticut amends requirements for small lenders

    On June 29, SB 1033 (the “Act) was enacted in Connecticut to amend the banking statutes. The Act, among other things, (i) redefines “small loan”; (ii) redefines “APR” to be calculated based on the Military Lending Act and include the cost of ancillary products among other fees as part of the “finance charge”; (iii) requires more people to obtain small loan licenses; (iv) requires that certain small loans are worth $5,000-$50,000, which is intended to capture larger loans particularly for student borrowers who may enter into income sharing agreements; (v) prohibits small loans from providing for an advance exceeding an unpaid principal of $50,000; and (vi) eliminates a requirement that certain people demonstrate an ability to supervise mortgage servicing offices in person. The Act also includes new licensing provisions, adding that any person who acts as an agent or service provider for a person who is exempt from licensure requires licensure if (i) they have a predominant economic interest in a small loan; (ii) they facilitate and hold the right to purchase the small loan, receivables or interest in the small loan; or (iii) the person is a lender who structured the loan to evade provisions in the Act. If the facts and circumstances deem the person a lender, they must be licensed under the Act.

    Licensing State Issues Small Dollar Lending Loan Origination Connecticut State Legislation

  • New Hampshire amends rules for interest on escrow accounts

    State Issues

    On June 20, New Hampshire enacted HB 520 (the “Act”) to amend provisions relating to escrow accounts maintained by licensed nondepository mortgage bankers, brokers, and servicers. The Act amends guidelines surrounding interest payments to escrow accounts maintained for the payment of taxes or insurance premiums related to loans on single family homes in New Hampshire and property secured by real estate mortgages. For both (single family homes and property) accounts, payments must be at a rate no less than the National Deposit Rate for Savings Accounts. Further, interest payments during the six-month period beginning on April 1 of each year, must be no less than the FDIC published rate in January of the same year, whereas interest payments during the six-month period beginning on October 1 of each year, must be no less than the FDIC published rate in July of the same year. 

    The Act was effective upon its passage.

    State Issues State Legislation Mortgages Interest New Hampshire FDIC Escrow Consumer Finance

  • Supreme Court blocks student debt relief program


    On June 30, the U.S. Supreme Court issued a 6-3 decision in Biden v. Nebraska, striking down the Department of Education’s (DOE) student loan debt relief program (announced in August and covered by InfoBytes here) that would have provided between $10,000 and $20,000 in debt cancellation to certain qualifying federal student loan borrowers making under $125,000 a year.

    The Biden administration appealed an injunction entered by the U.S. Court of Appeals for the Eighth Circuit that temporarily prohibited the Secretary of Education from discharging any federal loans under the agency’s program. (Covered by InfoBytes here.) Arguing that the universal injunction was overbroad, the administration contended that the six states lack standing because the debt relief plan “does not require respondents to do anything, forbid them from doing anything, or harm them in any other way.” Moreover, the secretary was acting within the bounds of the Higher Education Relief Opportunities for Students Act of 2003 (HEROES Act) when he put together the debt relief plan, the administration claimed.

    In considering whether the secretary has authority under the HEROES Act “to depart from the existing provisions of the Education Act and establish a student loan forgiveness program that will cancel about $430 billion in debt principal and affect nearly all borrowers,” the Court majority (opinion delivered by Chief Justice Roberts, in which Justices Thomas, Alito, Gorsuch, Kavanaugh, and Barrett joined) held that at least one state, Missouri, had Article III standing to challenge the program because it would cost the Missouri Higher Education Loan Authority (MOHELA), a nonprofit government corporation created by the state to participate in the student loan market, roughly $44 million a year in fees. “The harm to MOHELA in the performance of its public function is necessarily a direct injury to Missouri itself,” the Court wrote.

    The Court also ruled in favor of the respondents on the merits, noting that the text of the HEROES Act does not authorize the secretary’s loan forgiveness plan. While the statute allows the Secretary to “waive or modify” existing statutory or regulatory provisions applicable to student financial assistance programs under the Education Act in connection with a war or other military operation or national emergency, it does not permit the Secretary to rewrite that statute, the Court explained, adding that the “modifications” challenged in this case create a “novel and fundamentally different loan forgiveness program.” As such, the Court concluded that “the HEROES Act provides no authorization for the [s]ecretary’s plan when examined using the ordinary tools of statutory interpretation—let alone ‘clear congressional authorization’ for such a program.”

    In dissent, three of the justices argued that the majority’s overreach applies to standing as well as to the merits. The states have no personal stake in the loan forgiveness program, the justices argued, calling them “classic ideological plaintiffs.” While the HEROES Act bounds the secretary’s authority, “within that bounded area, Congress gave discretion to the [s]ecretary” by providing that he “could ‘waive or modify any statutory or regulatory provision’ applying to federal student-loan programs, including provisions relating to loan repayment and forgiveness. And in so doing, he could replace the old provisions with new ‘terms and conditions,”’ the justices wrote, adding that the secretary could provide whatever relief needed that he deemed most appropriate.

    The Court also handed down a decision in Department of Education v. Brown, ruling that the Court lacks jurisdiction to address the merits of the case as the respondents lacked Article III standing because they failed to establish that any injury they may have suffered from not having their loans forgiven is fairly traceable to the program. Respondents in this case are individuals whose loans are ineligible for debt forgiveness under the plan. The respondents challenged whether the student debt relief program violated the Administrative Procedure Act’s notice-and-comment rulemaking procedures as they were not given the opportunity to provide feedback. (Covered by InfoBytes here.)

    President Biden expressed his disappointment following the rulings, but announced new actions are forthcoming to provide debt relief to student borrowers. (See DOE fact sheet here.) The first is a rulemaking initiative “aimed at opening an alternative path to debt relief for as many working and middle-class borrowers as possible, using the Secretary’s authority under the Higher Education Act.” The administration also announced an income-driven repayment plan—the Saving on a Valuable Education (SAVE) plan—which will, among other things, cut borrowers’ monthly payments in half (from 10 to 5 percent of discretionary income) and forgive loan balances after 10 years of payments rather than 20 years for borrowers with original loan balances of $12,000 or less.

    Courts Federal Issues State Issues U.S. Supreme Court Biden Consumer Finance Student Lending Debt Relief Department of Education HEROES Act Administrative Procedure Act Appellate Eighth Circuit

  • Nevada to regulate student loan servicers and lenders

    On June 14, the Nevada governor signed AB 332 (the “Act”) which provides for the licensing and regulation of student loan servicers. The Act also implements provisions for the regulation of private education loans and lenders. Among other things, the Act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Commissioner of Financial Institutions. Specifically, the Act states that a person seeking to act as a student loan servicer is exempt from the application requirements only if the commissioner determines that the person’s servicing performed in the state is conducted pursuant to a contract awarded by the U.S. Secretary of Education.

    The Act also outlines numerous requirements relating to licensing applications, including that the commissioner may participate in the Nationwide Multistate Licensing System and Registry (NMLS), and may instruct NMLS to act on his or her behalf to, among other things, collect and maintain records of applicants and licensees, collect and process fees, process applications, and perform background checks. The commissioner is also permitted to enter into agreements or sharing arrangements with other governmental agencies, the Conference of State Bank Supervisors, the State Regulatory Registry, or other such associations. Additional licensing provisions set forth requirements relating to licensing renewals, reinstatements, surrenders, and denials; liquidity standards; and bond requirements. The commissioner is also granted general supervisory, investigative, and enforcement authority relating to student loan servicers and student education loans and may impose civil penalties for violations of the Act’s provisions. The commissioner must conduct investigations and examinations at least once a year (with licensees being required to pay for such investigations and examinations). The Act further provides that the student loan ombudsman shall enter into an information sharing agreement with the office of the attorney general to facilitate the sharing of borrower complaints.

    With respect to private education lenders, the Act establishes certain protections for cosigners of private education loans and prohibits private education lenders from accelerating the repayment of a private education loan, in whole or in part, except in cases of payment default. A lender may be able to accelerate payments on loans made prior to January 1, 2024, provided the promissory note or loan agreement explicitly authorizes an acceleration based on established criteria. The Act also sets forth responsibilities for lenders in the case of the total and permanent disability of a private education loan borrower or cosigner, including cosigner release requirements. Additional provisions outline prohibited conduct and create requirements and prohibitions governing lenders’ business practices. Furthermore, private education lenders are not exempt from any applicable licensing requirements imposed by any other specific statute.

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on January 1, 2024 for all other purposes.

    Licensing State Issues State Legislation Nevada Student Loan Servicer Student Lending Consumer Finance NMLS

  • Maryland says crypto enforcement could affect money transmitter licensure

    On June 22, the Maryland Commissioner of Financial Regulation issued an advisory on recent enforcement actions by Maryland and federal securities enforcement agencies against cryptocurrency-related businesses that could potentially impact businesses pursuing money transmitter licensure. The actions allege certain businesses offered products constituting securities while they were only licensed as money transmitters by the Commissioner of Financial Regulation. The state takes “character and fitness” into consideration for licensure and although the Commissioner does not enforce securities laws, he or she must consider violations of law, including violations of Maryland securities law, when determining whether to grant licenses. The advisory reads, “compliance with law, particularly Maryland law, regardless of whether or not the law falls within the Commissioner’s purview, must be considered when determining whether a licensee warrants the belief that business will be conducted lawfully, and thus whether the licensee is, or remains, qualified for licensure.” Moreover, violations of securities laws could form the grounds for action by the Commissioner against a licensee, “including but not limited to, an action seeking to revoke a license.”

    Licensing State Issues Enforcement State Attorney General Maryland Money Service / Money Transmitters

  • Rhode Island enacts provisions for real estate appraisal

    On June 20, the Rhode Island state governor signed SB 850 (the “Act”), which amends the Real Estate Appraiser Certification Act and the Real Estate Appraisal Management Company (AMC) Registration Act for consistency with federal laws and recommendations from the appraisal subcommittee. Among other things, the Act includes new terminology, including “covered transaction” and “state-licensed real estate appraiser.” This Act sets forth numerous additional provisions, one of which requires that appraisals must be performed by licensed or certified appraisers unless they are specifically exempt under federal law. Also amended are state-certified appraisers and state-licensed appraisers’ classifications. Specifically, the text defining residential property appraisal is replaced with a general statement that requirements for certification and licensing of appraisers will be “as required by the appraiser qualifications board of the appraisal foundation.” Another addition addresses the continuing education requirement for state-licensed and state-certified real estate appraisers, which now stipulates that up to one-half of an individual’s continuing education requirement may be completed by participation in certain educational activities approved by the board. Concerning registration, the Act contains a new subsection, detailing that AMCs cannot be registered in the state if any owner (an individual who owns more than 10 percent) of the AMC fails to submit to a background check or any owner is determined by the director to not have good moral character. Among other amendments, the Act also stipulates that registration is now valid for only one year (previously two years) after issuance.

    The Act is effective upon passage.

    Licensing State Issues State Legislation Rhode Island Appraisal

  • NYDFS publishes new proposal on cybersecurity regs

    Privacy, Cyber Risk & Data Security

    On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:

    • New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
    • Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
    • Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
    • Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”

    The proposed second amendment is subject to a 45-day comment period expiring August 14.

    Privacy, Cyber Risk & Data Security State Issues NYDFS 23 NYCRR Part 500 State Regulators

  • Nevada enacts health data privacy measures

    Privacy, Cyber Risk & Data Security

    On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.

    The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.

    Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability.  Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.

    The Act is effective March 31, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Medical Data Nevada HIPAA Consumer Protection

  • Nevada amends licensing and regulation provisions

    On June 15, the Nevada governor signed SB 355 (the “Act”) to amend several provisions relating to existing state law, which provides for the licensure and regulation of various financial institutions by the Commissioner of Financial Institutions. Among other things, the Act prohibits the commissioner “from requiring an applicant for a license to establish a new depository institution to identify the physical address of the proposed depository institution in the application for the license.” Additionally, while the Act requires data collectors that own, license, or maintain personal information to provide notice to the state attorney general and certain other persons of certain breaches of security involving personal information, the amendments now exempt persons licensed to engage in the business of lending in Nevada from these requirements.

    The Act sets forth numerous other provisions, including (i) removing the requirement that debt collection agencies notify a medical debtor via registered or certified mail before taking any action to collect a medical debt; (ii) authorizing certain financial institution employees to temporarily delay certain financial transactions involving the suspected exploitation of an older person or vulnerable person (and setting forth certain liability exemptions); and (iii) authorizing an employee of a licensee to engage in the business of lending in the state at a remote location if authorized by the licensee and specific criteria are met (the Act also outlines prohibited conduct for persons working remotely). Remote work provisions apply to employees of a mortgage company, including mortgage loan originators, so long as the mortgage company provides authorization. The Act also exempts remote locations from certain mortgage transaction recordkeeping requirements, and instead stipulates that a mortgage company must “keep and maintain records of all mortgage transactions made by an employee at a remote location in accordance with the requirements established by the Commissioner of Mortgage Lending by regulation.”

    The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act.  The remaining provisions take effect October 1, 2023, and January 1, 2024.

    Licensing State Issues State Legislation Nevada


Upcoming Events