Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New Hampshire enshrines a new consumer privacy law

    Privacy, Cyber Risk & Data Security

    On March 6, the Governor of New Hampshire, Chris Sununu, signed into law a sweeping consumer privacy bill. Under the act, consumers will have the right to confirm if a controller (an individual who controls personal data) is processing their personal data, a right to access that data, as well as correct inaccuracies, obtain a copy, delete, and opt-out of the processing of the data for targeted advertising purposes. The act also imposed limits on collectors, including that a controller shall (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for the intended purpose; (ii) establish and maintain administrative security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent or, if the data concerns a known child, process the data in accordance with COPPA; (iv) provide an easy means for consumers to revoke consent; and (v) not process personal data for targeted advertising purposes without consumer consent. The bill further outlined a processor’s responsibilities and required controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. The act will go into effect on January 1, 2025.

    Privacy, Cyber Risk & Data Security State Issues New Hampshire State Legislation Opt-Out

  • New York Attorney General sues over 25 lenders for predatory lending operation

    State Issues

    On March 5, New York Attorney General Letitia James released a verified petition against 27 lenders accusing them of a “large-scale, predatory lending” operation in which they allegedly misrepresented themselves in order to issue small businesses short-term loans at “sky-high interest rates” in violation of New York Executive Law §63(12). According to the petition, the 27 lenders (Respondents) have issued “illegal, usurious” and fraudulent loans in the form of Merchant Cash Advances (MCAs), which imposed triple-digit interest rates as high as 820 percent. The NYAG noted such rates are beyond both the maximum civil usury interest rate (16 percent) and the maximum criminal usury interest rate (25 percent). The petition also alleged the Respondents misrepresented their transactions in court, making the court an “unwitting part of their illegal scheme.”

    The petition asked the court to permanently enjoin Respondents from committing any further fraudulent or illegal practices, cease all MCA collection payments, and void and rescind all MCAs. The NYAG also will seek and order that the Respondents disgorge all profits and award civil penalties of $5,000 for each fraudulent MCA transaction and $2,000 in costs from each Respondent. 

    State Issues State Attorney General New York Fraud Lending Predatory Lending

  • Wyoming amends its open banking provisions

    State Issues

    On March 8, the Wyoming governor signed HB 145 (the “Act”) related to open banking, making two changes. First, the amendment updated the definition of a “customer” as a natural person or an agent, trustee, or representative acting on behalf of a natural person. Second, and for banks already participating in open banking, the Act limited the release of consumer data to third-party financial service providers to data that is only necessary for the consumer to receive the third-party product or service. The Act will go into effect on July 1. 

    State Issues State Legislation Wyoming Open Banking

  • CPPA releases latest draft of automated decision-making technology regulation

    State Issues

    The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).

    Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.

    The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.

    The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change. 

    State Issues Privacy Agency Rule-Making & Guidance California CPPA Artificial Intelligence

  • New York State bill requires disclosure of beneficial owners of limited liability companies

    State Issues

    On March 1, a newly enacted bill from New York State, S8059, (the “Act”) was signed by the governor and amended New York State law governing limited liability companies by mandating New York LLCs to file beneficial ownership information with the New York Department of State. The Act set a deadline for new LLCs to file the required ownership information within 30 days of their establishment; for existing LLCs, the bill required them to comply with the new requirements by January 1, 2026. The Act demanded that exempt companies, defined as LLCs or foreign LLCs not otherwise defined as a reporting company that met a condition for exemption in 31 U.S.C. §5336(a)(11)(B), electronically declared their statuses and the basis for their exemptions shortly after formation. It further imposed an annual requirement on all limited liability companies to update or confirm their ownership or exempt status. Additionally, access to the beneficial ownership reports was restricted to law enforcement under certain conditions. The Act enforced compliance with the requirements by imposing up to $500 daily fines for late submissions, the possibility of companies being marked as delinquent, and the threat of dissolution for persistent non-compliance.

    State Issues New York State Legislation Beneficial Ownership

  • California Attorney General warns small banks and credit unions on fees

    State Issues

    On February 22, California State Attorney General, Rob Bonta, issued a letter to small banks and credit unions cautioning that overdraft and returned deposited item fees may infringe upon California’s Unfair Competition Law (UCL) and the CFPA. The letter, directed at institutions in California with assets under $10 billion, highlighted concerns that such fees disproportionately burden low-income and minority consumers. Bonta emphasized that these fees often catch consumers off guard, leading to significant financial strain, and urged the financial institutions in California to comply with state and federal laws by eliminating such practices.

    The letter underscores how overdraft and returned deposited item fees can harm consumers, and potentially constitute unfair acts against them. Bonta also pointed out how overdraft fees cannot be reasonably anticipated due to the complexities of transaction processing, making it challenging for consumers to make informed financial decisions. Furthermore, the letter warned that imposition of returned deposited item fees, which are charges by financial institutions when a consumer deposits a check that bounces (due to an issue with the check originator such as insufficient funds or a stop payment order), is likely an unfair business practice in violation of the UCL and CFPA because consumers are usually unable to reasonably avoid the fee. 

    This action by the California Attorney General is notable for its focus on smaller financial institutions that were expressly excluded from the CFPB’s proposed rule last month on overdraft fees (previously covered by InfoBytes here); however, the action is broadly consistent with the CFPB’s guidance on returned deposited item fees (also covered by InfoBytes here).

    State Issues California State Attorney General Overdraft CFPA Unfair

  • Minnesota Attorney General settles with tribal company over high interest rates

    State Issues

    On February 21, the Minnesota Attorney General announced a settlement with a tribal economic development entity to resolve a 2023 federal lawsuit that alleged the entity’s lending subsidiaries were engaged in predatory lending and illegal interest rates, in violation of Minnesota and federal consumer lending laws. As previously covered by InfoBytes, the complaint claimed that the entity’s lending subsidiaries charged interest rates of up to 800 percent in violation of state statutory caps of eight percent, and led state residents to believe that the entity was exempt from state laws that protect against predatory lending.

    Under the terms of the settlement, the entity and its subsidiaries can no longer lend to Minnesota residents nor advertise or market those loans. The settlement also required any loan issued to consumers in Minnesota before the settlement is canceled, except to recover the original principal balance with all past payments to be attributed towards paying down the principal balance.

    State Issues Courts Minnesota Interest Rate Consumer Finance State Attorney General Settlement Enforcement Consumer Protection

  • New York AB 2672 goes into effect and establishes credit card surcharge provisions

    State Issues

    Recently, New York AB 2672 (the "Act") was enacted, and went into effect on February 11. The Act requires merchants that impose a credit surcharge fee to clearly and conspicuously post prices inclusive of a surcharge fee. The Act allows merchants to use a two-tier pricing system, in which two different prices display whether a consumer uses a credit card or another form of payment on a transaction. The Act also establishes a civil penalty not to exceed $500 for each violation. 

    State Issues Credit Cards New York Surcharge State Legislation

  • New York State Attorney General wins $77 million judgment against short-term lenders for predatory lending

    State Issues

    On February 8, New York State Attorney General (AG) Letitia James announced a more than $77 million judgment against three merchant cash advance (MCA) companies for usury and fraud based on allegations the lenders used short-term loans to charge illegally high-interest and undisclosed fees. 

    In a June 2020 announcement, Attorney General James detailed her office’s investigation, which concluded that the companies employed practices including (i) extending MCAs to small business owners at illegal interest rates over short durations; (ii) imposing undisclosed fees; (iii) withdrawing excess amounts from merchants’ bank accounts; and (iv) procuring judgments against merchants through the submission of falsified affidavits in New York State courts.

    The judgment follows a September 2023 court decision finding violations of New York’s prohibitions against, among other things, usury and predatory lending, and requiring the companies to cease collections and to repay thousands of small businesses the interest they paid. The companies were ordered to provide the full restitution and damages within 60 days to all merchants who entered into MCAs, including refunding all amounts taken from merchants or their guarantors in connection with the MCAs, minus the principal amounts funded to the borrowers. After the companies failed to pay the damages, the AG sought the entry of the monetary judgment from the court. 

    State Issues New York State Attorney General Enforcement Small Business Lending Interest Usury

  • California appeals court vacates a ruling on enjoining enforcement of CPRA regulations

    State Issues

    On February 9, California’s Third District Court of Appeal vacated a lower court’s decision to enjoin the California Privacy Protection Agency (CPPA) from enforcing regulations implementing the California Privacy Rights Act (CPRA).  The decision reverses the trial court’s ruling delaying enforcement of the regulations until March 2024, which would have given businesses a one-year implementation period from the date final regulations were promulgated (covered by InfoBytes here).

    The CPRA mandated the CPPA to finalize regulations on specific elements of the act by July 1, 2022, and provided that “the Agency’s enforcement authority would take effect on July 1, 2023,” a one-year gap between promulgation and enforcement. The CPPA did not issue final regulations until March of 2023, but sought to enforce the rules starting on the July 1, 2023, statutory date.  In response, in March 2023, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations.  The trial court held that a delay was warranted because “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” On appeal, the court emphasized that there is no explicit and unambiguous language in the law prohibiting the agency from enforcing the CPRA until at least one year after final regulations are approved, and that and found that while the mandatory dates included in the CPRA “amounts to a one-year delay,” such a delay was not mandated by the statutory language. The court further found that there is no indication from the ballot materials available to voters in passing the statute that the voters intended such a one-year delay. The court explained that the one-year gap between regulations could have been interpreted to give businesses time to comply, or as a period for the agency to prepare for enforcing the new rules, or there may also be other reasons for the gap.

    Accordingly, the appellate court held that Chamber of Commerce “was simply not entitled to the relief granted by the trial court.” As a result of the court’s decision, businesses are now required to commence implementing the privacy regulations established by the agency. 

    State Issues Privacy Courts California Appellate CPPA CPRA

Pages

Upcoming Events