Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
The California legislature amended the California Finance Lenders Law (CFLL) allowing persons to make one commercial loan in a 12-month period without obtaining a license. This change effectively reenacts a de minimis exemption that was repealed in 2014, and is effective January 1, 2017 through January 1, 2022.
Effective September 28, 2016, the implementing regulations to the CFLL and California Residential Mortgage Lending Act (CRMLA) were amended such that subsidiaries and affiliates of exempt institutions are no longer exempt, by nature of this association, from the licensing requirements with respect to consumer and residential mortgage loans. The Department of Business Oversight filed the action to reverse through regulation previous Commissioner opinions that interpreted licensing exemptions under the CFLL and CRMLA to apply broadly to include subsidiaries of exempt financial institutions.
The definition of a lender under the CRMLA was also amended and now includes a person, other than a natural person, and a natural person who is also an independent contractor, who engages in the activities of a loan processor or underwriter for residential mortgage loans, but does not solicit loan applicants, originate mortgage loans, or fund mortgage loans. Further, the Commissioner may require a licensee who is engaged in the processing or underwriting of residential mortgage loans to continuously maintain a minimum tangible net worth in an amount that is greater than $250,000, but that does not exceed the net worth required of an approved lender under the Federal Housing Administration.
On October 3, Connecticut AG Jepsen, alongside Banking Commissioner Jorge Perez, resolved a four-year investigation into a Connecticut-based investment bank’s residential mortgage-back securities (RMBS) practices. According to the consent order, from January 2005 to December 2008, the investment bank was the lead securities underwriter of about 250 RMBS deals with a value of more than $250 billion. The state alleged, among other things, that the bank’s due diligence process on the 250 RMBS deals was “inadequate and resulted in omissions and misstatements in the representations made to the public and investors about the securities.” The $120 million settlement is Connecticut’s largest single settlement in history.
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations
On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.
- Jonice Gray Tucker to discuss "MCCA's blueprint for selling & buying - A pitch workshop for outside counsel" at the Minority Corporate Counsel Association Creating Pathways to Diversity Conference
- Buckley Webcast: Get ready for CCPA
- Daniel P. Stipano to discuss "BSA/AML culture of compliance roundtable" at the FiSCA Annual Conference
- Daniel P. Stipano to discuss "Is there a better way to fight money laundering" at the FiSCA Annual Conference
- Michelle L. Rogers to discuss "What's trending in enforcement" at the Mortgage Bankers Association Annual Convention & Expo
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Buckley Webcast: Smoke and mirrors: Navigating the regulatory landscape in banking the marijuana industry
- H Joshua Kotin to discuss "CMS - Components of a successful monitoring program" at the RegList Annual Workshop
- Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Sherry-Maria Safchuk to discuss "Cybersecurity" at the RegList Annual Workshop
- Jeffrey P. Naimon to discuss "Hot topics in mortgage origination" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference