InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California authorizes prepaid accounts to accept publicly administered funds provided no overdraft fees
On October 5, the California governor signed SB 497, which, among other things, amends the definition of a “qualifying account” use for the purposes of depositing certain publicly administered funds. The amendment eliminates prepaid card accounts from the definition of “qualifying account,” and instead authorizes “a prepaid account or a demand deposit or savings account offered by or through an entity other than an insured depository financial institution, as specified, that is not attached to an automatic credit or overdraft feature, unless the credit or overdraft feature has no fee, charge, or cost, or it complies with the requirements for consumer credit under the federal Truth in Lending Act.” Specifically, persons or entities that are not insured depository financial institutions but who offer, maintain, or manage non-“qualifying accounts” are prohibited from soliciting, accepting, or facilitating the direct deposit of the publicly administered funds into the accounts.
DFPI reports sharp decrease in consumer lending and PACE financing
On October 7, the Department of Financial Protection and Innovation (DFPI) released a report showing significant changes in consumer lending activity, likely attributable to a number of factors including the Covid-19 pandemic, state and federal financial assistance, student loan payment moratoriums, favorable interest rates, and increased reporting of alternative financing products. The 2020 annual report examined unaudited data gathered from finance lenders, brokers, and Property Assessed Clean Energy (PACE) administrators licensed under the California Financing Law, as well as new data from the “Buy Now, Pay Later” (BNPL) industry. Findings showed, among other things, a sharp decrease in certain types of consumer loans with BNPL products (often interest-free), decreasing overall by 41 percent in 2019. However, the report found that consumer loans, excluding BNPL, increased 94.8 percent during the same period—a result likely caused by an increase in originations of consumer loans secured by real estate. Finance lenders, including BNPL, originated nearly 12 million consumer loans in 2020 (a 530 percent increase over the prior year), with the top six BNPL lenders accounting for 91 percent of the total consumer loans originated in 2020. DFPI noted that a surge in BNPL unsecured consumer loans reported to the regulator shows that BNPL payment options are becoming increasingly popular. DFPI also discussed recent BNPL enforcement actions, which required companies to consider a consumer’s ability to repay a loan and subjected the companies to rate and fee caps.
The report also examined PACE financing data. According to findings, there was an 18 percent decline in the total number of PACE assessment contracts funded and originated in 2020, and a 30 percent decrease in gross income for PACE program administrators since 2019.
California passes legislation on automatic subscriptions
On October 4, the California governor signed AB 390, which amends and adds Section 17602 of the Business and Professions Code regarding automatic subscription renewals. The law applies to businesses conducting automatic renewal or continuous services offers to California customers. Among other things, the bill requires that: (i) notice be provided at least 3 days before and at most 21 days before the expiration of the period for which a fee gift or trial, or promotional or discounted price, applies; (ii) notice be provided at least 15 days and not more than 45 days before the automatic renewal offer or continuous service offer renews; and (iii) a business allow a consumer to terminate the automatic renewal or continuous service offer without engaging in steps that may delay the consumer’s ability to immediately terminate the policy. The bill also specifies that a “‘free gift’ does not include a free promotional item or gift given by the business that differs from the subscribed product.” The law takes effect July 1, 2022.
District Court says Reg. J does not preempt state law in wire transfer case
On October 5, a federal judge for the U.S. District Court for the Western District of Pennsylvania remanded a case back to state court, holding that the Federal Reserve’s regulation governing Fedwire transfers does not completely preempt state law claims. The elderly plaintiff alleged that bank employees helped her execute wire transfers totaling $4.3 million to an unknown scam artist, but never questioned whether she “intended, or knew, that the wire transfers were being made through a crypto currency bank to a crypto currency trust company.” The plaintiff sued the bank, claiming that it was negligent in not protecting her from the scheme, and that its advertising claims about keeping client information safe from scams were misleading and violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. While recognizing that the plaintiff only asserted state law claims, the bank removed the case to federal court on the ground that the Fedwire system used to make the transfers was governed by the Fed’s Regulation J, and thus state law was preempted.
The court ruled that, while the bank could invoke Regulation J as a defense, the regulation does not expressly provide a private right to seek redress in federal court, nor does the regulation itself allow the bank to remove the case to federal court. “[T]he court concludes that the more persuasive case law reflects that only Congress (not a federal agency in a regulation) can completely preempt a state law cause of action to create removal jurisdiction.” The plaintiff did not assert federal claims, and so “[t]he mere fact that [the bank] intends to assert Regulation J as a preemption defense does not create removal jurisdiction.” Furthermore, the court cited the Fed’s commentary to Regulation J, which said regulations “may pre-empt inconsistent provisions of state law” but do not affect state law where there was no conflict. Since there was no conflict between Regulation J and the Pennsylvania law, the federal regulation does not provide the exclusive cause of action, the court said.
California to examine feasibility of public banking
On October 4, the California governor signed AB 1177, which establishes the California Public Banking Option Act and requires the state treasurer to convene a commission to conduct a market analysis to determine the feasibility of establishing a program for California consumers who lack access to traditional banking services. The CalAccount Program, if implemented, would protect unbanked and underbanked consumers from predatory, discriminatory, and costly alternatives by providing “access to a voluntary, zero-fee, zero-penalty, federally insured transaction account . . . and related payment services at no cost to accountholders.”
Among other things, the Act would (i) require the establishment of a process for accountholders to deposit funds into a CalAccount for no fee; (ii) impose a mandate requiring employers and hiring entities to maintain payroll direct deposit arrangements to allow workers to voluntarily participate in the program; (iii) require landlords to allow tenants to pay rent and security deposits by electronic funds transfers from a CalAccount; (iv) require a board (established to administer the program) to contract with and coordinate financial services vendors for the program and build an expansive financial services network of participating ATMs, banks, credit union branches, and other in-network partners to allow account holders to load or withdraw funds from their CalAccount without paying fees; (v) require the board to establish a no-fee process to allow all account holders to arrange for payments to a registered payee using a preauthorized electronic fund transfer from a CalAccount; (vi) establish rules governing the participation of individuals under the age of 18; (vii) provide a secure web-based portal and mobile application to allow individuals access and management of their CalAccount; and (viii) facilitate connectivity with other state and local government agencies and entities so public assistance programs and other disbursements may be directly deposited by electronic fund transfer into a CalAccount. The Act requires the commission to be convened on or before September 1, 2022, with the market analysis due on or before July 1, 2024 to the Chair of the Senate Committee on Banking and Financial Institutions and the Chair of the Assembly Committee on Banking and Finance.
California governor signs legislation on debt collection
On October 4, the California governor signed SB 531, which requires debt collectors to provide more information to consumers when assigned to collect a debt. Among other things, the bill: (i) expands the standards to allow Californians to verify a collector’s authority; (ii) bans creditors from selling the debt without first giving the debtor 30-day notice; (iii) requires debt buyers to provide a written statement to the debtor upon request; and (iv) prohibits, in certain circumstances, a debt collector from making a written statement to a debtor in an attempt to collect a delinquent consumer debt. The law is effective starting July 1, 2022.
District Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
District Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
Soltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
Massachusetts highlights UDAP risks of representment fees
On September 23, the Massachusetts Office of Consumer Affairs and Business Regulation, Division of Banks, issued a supervisory alert reminding financial institutions to clearly disclose representment non-sufficient funds (NSF) fees connected to deposit accounts to avoid consumer confusion as well as potential legal and regulatory risks. The alert explains that a representment NSF fee may occur when a financial institution presents the same transaction again, in an attempt to obtain declined funds. According to the alert, a “repeated merchant payment transaction can trigger the assessment of multiple NSF fees by a depository institution if the transaction is presented more than once,” causing some financial institutions to charge the consumer an NSF fee for both the original presentment as well as for each subsequent representment. The alert discusses consumer protection risks associated with the representment of NSF fees, including recent class action lawsuits for breach of contract, some of which have resulted in customer reimbursements and legal fees. Additionally, the alert highlights issues with standard industry deposit account agreements and fee schedules supplied by payment processing software vendors to financial institutions, which may not adequately explain an institution’s actual NSF fee practices as disclosed to customers. While certain disclosures and account agreements may indicate that one NSF fee will be charged “per item” or “per transaction,” these forms may not sufficiently explain that the same processed transaction may trigger multiple NSF fees. The alert reminds financial institutions charging representment fees that they risk violating state and federal UDAP law if their relevant account disclosures and agreements are not in compliance, and urges financial institutions to review deposit disclosures and contract language to ensure NSF fees are clearly and consistently communicated to consumers.