Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Indiana enacts data breach disclosure requirements

    Privacy, Cyber Risk & Data Security

    On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security.  The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Indiana Data Breach Disclosures

  • Colorado reaches agreements with credit unions over unused GAP fees violations

    State Issues

    Recently, the Colorado attorney general announced three separate settlements (see here, here, and here) with three credit unions resolving allegations that they neglected to refund unearned Guaranteed Automobile Protection (GAP) fees to Colorado consumers. The administrator of the Uniform Consumer Credit Code (UCCC), who is part of the Consumer Protection Division of the Department of Law and who led this investigation, concluded that the credit unions engaged in unfair and deceptive trade practices under the Colorado Consumer Protection Act by failing to provide GAP refunds automatically without waiting for a request from the consumer. Under the terms of the assurances of discontinuance, the credit unions have agreed to comply with all legal obligations and issue refunds to affected borrowers, and: (i) must comply with the UCCC rule’s GAP refund requirements; (ii) are subjected to an audit to verify the accuracy of their self-audits; and (iii) must send a confirmation letter pre-approved by the administrator to each consumer to whom a GAP refund was paid because of the self-audits. The AG noted that the “settlements are part of our office’s efforts to ensure lending institutions follow Colorado law and do not cheat hardworking consumers out of money they are entitled to under their lending and coverage agreements.”

    State Issues Colorado GAP Fees State Attorney General Enforcement Settlement Credit Union Consumer Finance

  • Mississippi passes debt management provisions

    Recently, the Mississippi governor signed HB 687, which establishes debt management services and licensing requirements. According to the bill, debt management service is defined as “[t]he receiving of money from a consumer for the purpose of distributing one or more payments to or among one or more creditors of the consumer in full or partial payment of the consumer's obligation,” among other things. A debt management service provider is “a person that provides or offers to provide to a consumer in this state any debt management services, in return for a fee or other consideration.” A debt management service provider does not include “[a]ny institution that is regulated, supervised or licensed by the department or any out-of-state institution that is insured by the Federal Deposit Insurance Corporation or the National Credit Union Administration,” among other things. Additionally, one cannot operate as a debt management service provider with respect to consumers who are residents of this state without a license. The bill is effective July 1.

    Licensing Mississippi State Legislation Debt Management State Issues

  • Indiana passes loan broker provisions

    On March 18, the Indiana governor signed HB 1092, which amends the provisions regarding loan brokers that include requirements for licensing, as well as contract for the services of a loan broker. Among other things, the bill establishes that a loan processing company notice filing must be made on a form prescribed by the commissioner and include the: (i) loan processing company's business name, address, and state of incorporation or business registration; (ii) names of the owners, officers, members, or partners who control the loan processing company; and (iii) name of each individual who is employed by the loan processing company, including the unique identifier from the Nationwide Multistate Licensing System (NMLS) of each loan processor. Additionally, when a contract for the services of a loan broker is assigned, the loan broker shall provide a copy of the signed contract and a written disclosure of any agreement entered into by the loan broker to procure loans exclusively from one lender to each party to the contract. The bill is effective July 22.

    Licensing State Issues Indiana State Legislation Loan Broker NMLS

  • DFPI addresses MTA licensing requirements

    Recently, the California Department of Financial Protection and Innovation (DFPI) released new opinion letters covering aspects of the California Money Transmission Act (MTA) related to a digital currency trading platform and the referral of customers to financial institutions. Highlights from the redacted letters include:

    • Digital Currency Trading Platform. The redacted opinion letter examines whether the inquiring Company requires licensure under the MTA. The letter describes that the Company’s customers would transfer digital currency into the account they have with the Company, with the balance being reflected in the customer’s wallet issued by the Company. The letter further explains that the Company would provide California residents access to its digital currency trading platform to buy, sell, or hold digital currency and provide liquidity services. The letter also describes, among other things, how customers could use the platform, transfer digital currency into the account, and transfer fiat currency by transferring it from their own bank account or by debit or credit card to the Company. Customers would not be able to send fiat or digital currency to others, except in the context of a sale. DFPI concluded that while the Company’s wallets holding fiat currency meet the definition of stored value, licensure under the MTA was not required because the Company offered fiat currency wallets to customers solely to facilitate the trade of digital currency. DFPI also noted that the Company does not require licensure under the MTA to perform Platform trading services or to issue wallets holding digital currencies.
    • Referral of customers to financial institutions. The redacted opinion letter examines whether the inquiring Company’s referral service is subject to the MTA. The letter describes that under this service, the Company would refer customers to banks, trust companies, and other entities which are either licensed as money transmitters in California or exempt from licensure. Under the proposed referral service, customers would be re-directed to a financial institution’s website where they could set up and fund an account. Customers wishing to buy, sell, or exchange cryptocurrency or fiat currency could do so from the Company’s website and use a third party’s software platform to input their order details. The platform would check to make sure that the customer has sufficient assets in the customer’s account with the financial institution to purchase the cryptocurrency. The financial institution would be the only party to hold, receive, or transmit all cryptocurrencies in the customer’s account. DFPI concluded that the referral service does not meet the definition of money transmission because the service entails connecting customers with financial institutions from which customers can buy, sell, or exchange cryptocurrency. Further, DFPI noted that the transactions between customers and financial institutions are also not money transmission because the customer would simply exchange cryptocurrency directly with the financial institution. Accordingly, DFPI held that licensure under the MTA is not required because the Company will not sell or issue payment instruments, sell or issue stored value, or receive money for transmission by offering the referral service.

    Licensing State Issues State Regulators DFPI California Money Transmission Act Digital Assets Digital Currency Fintech Cryptocurrency California

  • NYDFS fines money transmitter $8.25 million for AML compliance failures

    State Issues

    On March 16, NYDFS announced the imposition of an $8.25 million fine on a money transmitter alleged to have violated anti-money laundering (“AML”) requirements and New York law by failing to adequately supervise local agents in New York City that processed an unusual volume of suspicious transactions to China. NYDFS conducted an examination and enforcement investigation, which found that the company “did not adequately oversee the activity of six agents that saw a large spike in transaction volume of business with China.” According to the investigation, there were roughly 7,500 transactions aggregating approximately $30 million in 2014. These figures rose to more than 25,000 transactions aggregating more than $100 million during the period between January 2016 and May 2017. Most of these transactions were processed by small, store-front independent agents—“a clear indicator of increased money laundering risk, particularly given that the destination was known to carry a high AML risk,” NYDFS stated, adding that the company should have also addressed risks resulting from a suspicious pattern of different senders transmitting money to the same recipient. NYDFS acknowledged that the company, when alerted to the increased transaction activity, severed its relationship with the problematic agents and implemented remedial measures to improve supervision of its agents. Under the terms of the consent order, the company will pay an $8.25 civil money penalty and is required to submit a report to NYDFS outlining enhancements made with respect to new and existing agents, suspicious activity reporting program, and special transaction limitations. Additionally, NYDFS announced that the company will also update the Department on improvements to the policies and procedures of its Bank Secrecy Act/AML compliance program and will provide data to NYDFS for ongoing monitoring purposes.

    State Issues State Regulators NYDFS Enforcement Compliance Money Service / Money Transmitters Payments Anti-Money Laundering Bank Secrecy Act SARs Of Interest to Non-US Persons China

  • District Court approves $17 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.

    Privacy/Cyber Risk & Data Security Courts Settlement Data Breach State Issues CCPA California

  • Wyoming enacts genetic data privacy provisions

    Privacy, Cyber Risk & Data Security

    On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.

    Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Wyoming Consumer Protection

  • California clarifies that internally generated inferences are “personal information” under the CCPA

    Privacy, Cyber Risk & Data Security

    On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to internally generated inferences that the business holds about the consumer from either internal or external information sources. According to the OAG, the answer is yes—consumers have the right to know internally generated inferences about themselves, and a business must provide such information upon request, unless a business can demonstrate an applicable CCPA statutory exception. The CCPA, which was enacted in June 2018 and became effective January 1, 2020 (covered by a Buckley Special Alert), provides California consumers with new rights of control over the personal information held about them (with certain exceptions), including the right to know what information is being collected and how a business uses and shares that information, the right to delete personal information, and the right to opt out of certain transfers and sales of their personal information. The OAG noted that while the Consumer Privacy Rights Act of 2020 will become fully operative January 1, 2023, none of the act’s amendments to the CCPA will change the conclusions presented in the opinion.

    The OAG’s opinion defines “inference” under the CCPA to mean “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Example inferences such as “married,” “homeowner,” “online shopper,” or “likely voter,” the OAG explained, are derived from information collected by businesses such as online transactions, social network posts, or public records. OAG noted that some businesses also use proprietary methods to create inferences and “then sell or transfer the inferences to others for commercial purposes,” thus allowing, according to studies, “seemingly innocuous data points” to be combined with other data points “to deduce startlingly personal characteristics.” According to the OAG’s interpretation of the plain language of the CCPA, as well as legislative history, businesses are generally required “to disclose internally generated inferences to consumers” “regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.”

    The OAG further explained that, inferences are “personal information” for purposes of the CCPA, and therefore must be disclosed provided two conditions exist: (i) “the inference is drawn ‘from any of the information identified”’ in subdivision (o) of Civil Code section 1798.140, which includes, among other things, personal identifiers such as names, addresses, account numbers, or identification numbers, customer records, age, gender, race, or religion, as well as inferences obtained from any of the provided items; and (ii) “the inference is used to ‘create a profile about a consumer,’ or in other words to predict a salient consumer characteristic.” For the purposes of responding to a consumer’s request to know, the OAG stated that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The business is required to disclose the personal information it holds to the consumer upon request. The OAG noted, however, that the CCPA does not require businesses to disclose protected trade secrets used to derive its inferences, provided the business demonstrates “that such inferences are indeed trade secrets under the applicable law.”

    Privacy/Cyber Risk & Data Security State Issues State Attorney General California CCPA CPRA

  • DFPI reminds financial institutions of their sanctions compliance obligations

    State Issues

    On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.

    Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.

    DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”

    Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.

    Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”

    NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)

    State Issues Digital Assets Financial Crimes State Regulators DFPI California NYDFS OFAC Department of Treasury OFAC Sanctions OFAC Designations Ukraine Ukraine Invasion Russia Privacy/Cyber Risk & Data Security

Pages

Upcoming Events