InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
Creditor must pay fine for collecting debts under a different name
Recently, the Connecticut Department of Banking entered into a consent order with a North Carolina-based company resolving allegations that it violated Connecticut collection practices laws and regulations by allegedly using a name other than the company’s legal name when collecting unpaid debts without a Connecticut consumer collection agency license. The Department’s investigation stemmed from a newspaper article in which a Connecticut resident complained that he received bills from a company in an attempt to collect $314 for a Covid-19 test. The company responded to the Department’s inquiry by stating that a collection agency license was not required because the collections were made by an in-house division of the company, and not on behalf of a third party. The company also cited cases in which federal courts dismissed similar allegations under the federal FDCPA. After an investigation, the Department alleged that the company constituted as a “creditor” and by using a different name, was in violation of the Regulations of Connecticut State Agencies, “which prohibits the use of any business, company or organization name other than the true name of the creditor’s organization.” The consent order requires that the company pay a civil money penalty of $10,000 and that the company cease and desist from using any name other than its true legal name to collect debts.
NMLS seeks comments on changes to Money Services Businesses Call Report
On October 18, the Conference of State Bank Supervisors (CSBS) issued a request for public comments on behalf of NMLS-participating state regulatory agencies on proposed changes to the NMLS Money Services Businesses Call Report (MSBCR). The MSBCR seeks to create “a nationwide repository of standardized information available to state regulators concerning the financial condition and activities of their Money Services Businesses licensees.” CSBS requests comments on edits to existing virtual currency transaction line items, new virtual currency line items addressing activities not already covered, revisions to the definition of existing permissible investments, and edits to definitions and titles of existing financial condition line items. Comments are due December 17.
NYDFS seeks to implement Commercial Finance Disclosure Law
On October 20, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement New York’s Commercial Finance Disclosure Law (CFDL) (covered by InfoBytes here). The CFDL was enacted at the end of December 2020, and amended in February to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which includes persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less.
As previously covered by InfoBytes, NYDFS solicited comments on a pre-proposed regulation released last month, which, among other things, (i) specified persons and entities required to comply with the regulation; (ii) defined terms used within the CFDL, including “commercial financing” and “finance change”; (iii) explained APR rate calculations and allowed tolerances; (iv) outlined specific disclosure requirements, including formatting and signature requirements; and (vi) detailed several provisions related to commercial financings that offer multiple payment options, certain duties of financers and brokers involved in commercial financing, record retention requirements, and the reporting process for certain providers that calculate estimated annual percentage rates.
The proposed regulation made several changes to the pre-proposed regulation based on comments NYDFS received. These include:
- Modifying the definition of when a specific offer is made that triggers the requirement to provide a disclosure. NYDFS stated that this change “should allow for some negotiations between borrowers and lenders before disclosures are required.”
- Adding the Secured Overnight Financing Rate (SOFR) as an acceptable rate index for use in adjustable-rate financings due to the cessation of LIBOR at the end of the year.
- Clarifying the definition of a “broker” to be “defined in terms of the substantive services they perform during the underwriting process.”
- Modifying the allowed tolerances when calculating APRs as required under Part 600.04. For most transactions, NYDFS explained that the tolerance threshold will remain one-eighth of one percent. For irregular transactions, NYDFS proposed a larger tolerance of one-quarter of one percent.
Additionally, the proposed regulation provides that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register. Comments on the proposed regulation are due December 19.
District Court denies MSJ in FDCPA case
On October 19, the U.S. District Court for the Middle District of Florida denied a defendant’s motion for judgment without prejudice concerning allegations that it knowingly ignored cease-and-desist letters sent by an individual while the individual had a pending bankruptcy petition. The plaintiff allegedly incurred a debt that was placed with the defendant for collection. After, the plaintiff sought protection under the Bankruptcy Code. During the bankruptcy case, the defendant allegedly sent the plaintiff text messages to collect the debt, the plaintiff responded with a cease-and-desist letter, and then the defendant sent the plaintiff a collection letter. The plaintiff sent another cease and desist letter and the defendant sent four more collection letters. Based on the defendant’s post-petition actions, the plaintiff sued for FDCPA and Florida Consumer Collection Practices Act violations. The defendant argued that the plaintiff failed to disclose this lawsuit in her bankruptcy case, which would result in the FDCPA case being dismissed on judicial estoppel grounds. However, the court found that while the plaintiff omitted the name and specific circumstances of her claims against the defendant, she “put the Bankruptcy Court, trustee, and creditors on notice she had a claim against a creditor and properly sought approval from the Bankruptcy Court before retaining counsel to pursue it.” The court went on to state that if the plaintiff “intended to deceive creditors or others in bankruptcy, filing the Application strayed from that intent,” and that “the filing mitigates any prejudice claimed by [the defendant].”
District Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to class members, the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. The court’s preliminary approval certified a nationwide settlement class of individuals who, between March 30, 2016 and the settlement date, “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication.” Under the terms of the preliminarily approved settlement, the company will establish an $85 million non-reversionary cash fund to pay valid claims, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company must educate users about available security features, and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
District Court approves non-party settlement in student debt-relief action
On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, here, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.
States, consumer advocates urge agencies to explicitly disavow rent-a-bank schemes
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
North Carolina creates regulatory sandbox
On October 15, the North Carolina governor signed HB 624, which creates a regulatory sandbox program and establishes the North Carolina Innovation Council (Council). Under the North Carolina Regulatory Sandbox Act of 2021, participants will have 24 months from the date an application is approved (unless granted an extension) to test an innovative product or service on consumers in the state without being subject to state laws and regulations that normally would regulate such products or services. The waiver “shall be no broader than necessary to accomplish the purposes” established under the Act. The Act notes that legislative findings determined that existing legal and regulatory frameworks restrict innovation because they “were established largely at a time when technology was not a fundamental component of industry ecosystems, including banking and insurance,” and that innovators would benefit from a flexible regulatory regimen to test new products, services, and emerging technologies. In addition, the Council will provide support for innovation, encourage participation in the regulatory sandbox, and set standards, principles, guidelines, and policy priorities for the types of innovations supported by the regulatory sandbox. The Council will also be responsible for admission into the regulatory sandbox and for assigning selected participants to the appropriate state agency. The program stipulates that innovative products or services may only be offered to state residents, with the exception of products and services associated with a money transmitter, “in which case only the physical presence of the consumer in the [s]tate at the time of the transaction may be required.” The program also allows participants and the applicable state agency to mutually agree to an extension or an increase in the numbers of consumers or dollar limits for a particular product or service. Among other things, participants may also request an extension of not more than 12 months to obtain a license or other authorization required by law to continue to market the product or service. The Act is effective immediately.