Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • DFPI issues proposed rulemaking under CCFPL

    On November 17, the California Department of Financial Protection and Innovation (DFPI) issued an invitation for comments on proposed rulemaking under the California Consumer Financial Protection Law (CCFPL). The CCFPL provides DFPI with the authority to require companies that provide financial products and services to California consumers to register with the agency. DFPI is also able to “require registrants to generate and provide records to facilitate oversight of registrants and detect risks to California consumers.” The draft rule proposes requiring registration for industries that engage in the following financial products and services: debt settlement, student debt relief, education financing, and wage-based advances. According to DFPI’s notice, with respect to education financing, the proposed rulemaking covers providers of any form of credit where the credit’s purpose is to fund postsecondary education. It also covers “credit regardless of whether the provider labels the credit a loan, retail installment contract, or income share agreement, and regardless of whether the credit recipient’s payment obligation is absolute, contingent, or fixed.” Additionally, DFPI notes that “[w]ith respect to education financing with income-based payments, including contracts sometimes referred to as income share agreements,” DFPI proposes “reporting requirements that in some cases diverge from the reporting requirements for education financing with fixed payments.”

    The proposed rulemaking provides definitions to implement the CCFPL registration regulations and addresses several registration provisions including the following:

    • Provides that a person must not engage in the business of offering or providing the designated products and services without first registering with the commissioner unless exempt. The DFPI’s notice stipulates that registering with the commissioner “does not constitute a determination that other laws, including other licensing laws under the commissioner’s jurisdiction, do not apply” and the proposed rulemaking further provides that “granting registration to an applicant does not constitute a determination that the applicant’s acts, practices, or business model complies with any law or regulation.”
    • Outlines registration requirements and designates NMLS to handle all applications, registrant filings, and fee payments on behalf of the commissioner. The proposed rulemaking lays out information that must be submitted and maintained as part of the registration application, as well as notices required by state law, and steps registrants must take when making changes to an application filing. An applicant’s failure to provide all or any part of the requested information may prevent approval, DFPI states.
    • Outlines requirements for registrants seeking to conduct business at a new branch office or at a new location for an existing branch. Requests must be filed with NMLS within 30 calendar days of the date a registrant engages in business at the new branch office or new location.
    • Addresses procedures related to annual assessments and pro rata payment requirements, as well as annual reporting requirements for registrants based on the products and services they provide.
    • Outlines procedures and requirements for rescinding a summary revocation order when a former registrant submits a written request for reinstatement to the commissioner.
    • Discusses procedures related to the effectiveness, surrender, and revocation of a registration. DFPI provides that a “registration issued under this subchapter is effective until it is revoked by the commissioner, is surrendered by the registrant, or becomes inoperative under subdivision (b) of Financial Code section 90009.5.”

    DFPI’s notice also seeks comments on proposals to streamline the registration process and improve transparency and clarification on matters related to, among other things: (i) the types of information that may be subject to public disclosure; (ii) annual reporting requirements not included in the proposed rulemaking; and (iii) certain registration requirements that may be applicable to DFPI licensees and licensees and registrants of other state agencies. In addition, DFPI seeks stakeholder feedback on the economic impact of the draft rules on businesses and consumers in California.

    Comments on the proposed rulemaking are due December 20.

    Licensing State Issues State Regulators DFPI CCFPL Consumer Finance Debt Settlement Student Lending Debt Relief Earned Wage Access NMLS

    Share page with AddThis
  • NYDFS issues final guidance for insurers on climate change financial risks

    State Issues

    On November 15, NYDFS issued final guidance to New York regulated-domestic insurers on managing climate change-related financial risks. The final guidance reflects the agency’s consideration of stakeholder comments from proposed guidance issued in March, and was informed by NYDFS’s collaboration with the insurance industry and international regulators. Building on a 2020 insurance circular letter addressing climate change and financial risks, the final guidance outlines expectations that insurers begin “integrating the consideration of the financial risks from climate change into their governance frameworks, business strategies, risk management processes and scenario analysis, and developing their approach to climate-related financial disclosure.” Specifically, an insurer should (i) incorporate into its governance structure, at either “the group or insurer entity level,” climate-risk considerations; (ii) consider current and forward-looking climate-related implications on its operations through “time horizons” appropriately tailored to the insurer’s activities and decisions; (iii) incorporate in its current financial risk management framework analyses of the effect of climate risks on existing risk factors; (iv) employ scenario analysis to inform business strategy decisions, risk assessments, and identification; and (v) disclose its climate risks and engage with NYDFS’s Task Force on Climate-related Financial Disclosures when developing climate disclosure approaches. NYDFS will monitor insurers’ progress in implementing these expectations with respect to organizational structures, which insurers must have in place by August 15, 2022. The NYDFS noted it will provide further guidance on timing for implementing “the more complex expectations outlined in the guidance.”

    State Issues State Regulators NYDFS Insurance Climate-Related Financial Risks Risk Management Bank Regulatory

    Share page with AddThis
  • 11th Circuit to rehear Hunstein v. Preferred Collection & Management Services


    On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.

    Courts Debt Collection Third-Party Disclosures Appellate Eleventh Circuit Vendor Hunstein FDCPA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • 4th Circuit: Tribal lenders must face usury claims


    On November 16, the U.S. Court of Appeals for the Fourth Circuit upheld a district court’s ruling denying defendants’ bid to dismiss or compel arbitration of a class action concerning alleged usury law violations. The plaintiffs—Virginia consumers who defaulted on short-term loans received from online lenders affiliated with a federally-recognized tribe—filed a putative class action against tribal officials as well as two non-members affiliated with the tribal lenders, alleging the lenders violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and Virginia usury laws by charging interest rates between 544 and 920 percent. The defendants moved to compel arbitration under a clause in the loan agreements and moved to dismiss on various grounds, including that they were exempt from Virginia usury laws. The district court denied the motions to compel arbitration and to dismiss, ruling that the arbitration provision was unenforceable as a prospective waiver of the borrowers’ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ choice of tribal law unenforceable as a violation of Virginia’s strong public policy against unregulated lending of usurious loans.” However, the district court dismissed the RICO claim against the tribal officials, ruling that RICO only authorizes private plaintiffs to sue for money damages and not injunctive or declaratory relief.

    On appeal, the 4th Circuit concluded that the arbitration clauses in the loan agreements impermissibly force borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent. As such, the appellate court stated that the entire arbitration provision is unenforceable. “The [t]ribal [l]enders drafted an invalid contract that strips borrowers of their substantive federal statutory rights,” the appellate court wrote. “[W]e cannot save that contract by revising it on appeal.” The 4th Circuit also declined to extend tribal sovereign immunity to the tribal officials, determining that while “the tribe itself retains sovereign immunity, it cannot shroud its officials with immunity in federal court when those officials violate applicable state law.” The appellate court further noted that the “Supreme Court has explicitly blessed suits against tribal officials to enjoin violations of federal and state law.” The 4th Circuit ultimately affirmed the district court’s judgment, noting that the loan agreement provisions were unenforceable because “tribal law’s authorization of triple-digit interest rates on low-dollar, short-term loans violates Virginia’s compelling public policy against unregulated usurious lending.”

    The appellate court also agreed with the district court that RICO does not permit private plaintiffs to seek an injunction. “Congress’s use of significantly different language” to define the scope of governmental and private claims under RICO “compels us to conclude” that “private plaintiffs may sue only for treble damages and costs,” the appellate court stated. While plaintiffs “urge us to consider by analogy the antitrust statutes,” provisions outlined in the Clayton Act (which explicitly authorize injunction-seeking private suits) have “no analogue in the RICO statute,” the appellate court wrote, adding that “nowhere in the RICO statute has Congress explicitly authorized private actions for injunctive relief.”

    Courts Fourth Circuit Appellate Tribal Lending Tribal Immunity RICO State Issues Interest Usury Online Lending Class Action Consumer Finance

    Share page with AddThis
  • District Court grants defendant’s motion in FCRA, FDCPA case


    On November 10, the U.S. District Court for the Western District of New York granted a defendant debt agency’s motion for judgment resolving FCRA and FDCPA allegations. A father allegedly co-signed an apartment lease for his daughter (collectively, “plaintiffs”), which included a provision that allowed the plaintiffs to terminate the lease if another individual took over the lease. The plaintiffs allegedly did not move in but identified two replacement tenants to take over the lease. The owner of the apartment allegedly signed separate leases with the identified replacement tenants and “thwarted [plaintiffs’] efforts to have someone take over [the] [l]ease.” The owner placed the debt with the defendant for collection, who reported the debt to three credit reporting agencies. The plaintiffs disputed the debt, but the defendant confirmed the accuracy of the information. The plaintiffs sued, alleging the defendant violated the FCRA for not conducting a proper investigation of the dispute, and the FDCPA for attempting to collect the allegedly invalid debt, which allegedly negatively impacted the plaintiffs’ credit scores, their ability to obtain a car loan, and efforts to apply for an apartment.

    With respect to the FCRA claim, the district court found that the plaintiffs’ allegation regarding an inaccurate debt “turns on an unresolved legal question, a section 1681s-2(b) claim that a furnisher failed to conduct a reasonable investigation of disputed credit information cannot stand.” Additionally, since the claim was “tethered to a legal dispute,” the district court found that it cannot form the basis of an FCRA claim. With respect to the FDCPA allegations, the district court dismissed the claim finding that the plaintiffs did not adequately state a claim because the plaintiffs’ claim was based on “nothing more than their conclusory and self-serving allegations that they do not owe the [d]ebt.”

    Courts FCRA FDCPA New York Debt Collection Consumer Finance

    Share page with AddThis
  • New rule gives banks 36 hours to disclose cybersecurity incidents

    Agency Rule-Making & Guidance

    On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

    Agency Rule-Making & Guidance Federal Issues FDIC OCC Federal Reserve Privacy/Cyber Risk & Data Security Bank Regulatory Third-Party

    Share page with AddThis
  • OCC calls for modernization of financial regulatory perimeter as fintechs/crypto firms increase

    Federal Issues

    On November 16, acting Comptroller of the Currency Michael J. Hsu told attendees at the Federal Reserve Bank of Philadelphia’s Fifth Annual Fintech Conference that the federal banking agencies are “approaching crypto activities very carefully and with a high degree of caution” and “expect banks to do the same.” Hsu pointed out what while changes to the financial regulatory perimeter generally occur as a response to crises and failures, regulatory agencies need to take proactive modernization measures given the astounding growth and expansion of fintechs and cryptocurrencies. Hsu highlighted several important questions that agencies must consider, including whether fintech and crypto firms will start to function like banks and whether bringing them into the bank regulatory perimeter would be the proper solution. He also stated that regulatory agencies must consider whether the risks faced by banks and fintech/crypto firms are the same and, subsequently, whether agencies need to modernize or maintain their status quo. Hsu focused on two specific areas of concern: (i) synthetic banking, or fintechs, operating outside the bank regulatory perimeter but that offer a range of services, including extending various forms of credit and offering interest on cash held in accounts (emphasizing the importance of fintech-bank partnerships); and (ii) the fragmented supervision of universal crypto firms, where Hsu asserted that gaps in supervision are driven by the fact that crypto firms are not subject to comprehensive consolidated supervision.

    Hsu announced that the agencies will soon issue a statement conveying results from a recent interagency “crypto sprint,” and that the OCC will also provide clarity on its recently concluded review of crypto-related interpretive letters. Hsu explained that “safety and soundness is paramount” when banks engage in crypto activities and that the agencies’ clarifications “should not be interpreted as a green light or a solid red light, but rather as reflective of a disciplined, deliberative, and diligent approach to a novel and risky area.”

    Federal Issues OCC Fintech Cryptocurrency Bank Regulatory Bank Supervision

    Share page with AddThis
  • Fed announces written agreement against China-based bank and NY branch

    Federal Issues

    On November 16, the Federal Reserve Board announced an enforcement action against a Chinese state-owned bank’s New York branch for alleged credit risk management deficiencies. The written agreement requires the bank and its branch to jointly submit a written plan to strengthen senior management oversight of risk management and internal controls, including a sustainable governance and risk management framework. Among other things, the plan must ensure that the branch’s risk management, internal audit function, and credit risk functions maintain appropriate stature and independence, and that potential credit risks are timely escalated. Additionally, risk management roles and responsibilities must be “clearly defined” in the plan, and the bank must ensure that “data management procedures are incorporated into an effective data governance framework.” After the Fed approves the plans, the bank and branch will have 30 days following the end of each quarter to submit “written progress reports detailing the form and manner of all actions taken to secure compliance” with the provisions of the written agreement. 

    Federal Issues Federal Reserve Enforcement Of Interest to Non-US Persons

    Share page with AddThis
  • CFPB seeks input on HMDA

    Federal Issues

    On November 16, the CFPB issued a notice and request for comments regarding the rules for implementing the Home Mortgage Disclosure Act (HMDA). The Request for Information (RFI) solicits public comments on its plans to assess the effectiveness of the HMDA Rule, focusing on, among other things: (i) institutional and transactional coverage; (ii) data points; (iii) benefits of the new data and disclosure requirements; and (iv) operational and compliance costs. According to the CFPB, the RFI follows a 2021 HMDA report, which found that mortgage lenders deny credit and charge higher interest rates to Black and Hispanic applicants more often than white applicants, and a July 2021 report that analyzed 2020 HMDA loan data and examined the differences in mortgage characteristics across Asian American and Pacific Islander subgroups. (Covered previously by InfoBytes here and here.) Additionally, the RFI notes that the Bureau expects to issue a report on the findings of its assessment of the HMDA Rule by January 1, 2023. The Bureau also notes that it “plans to review recent changes to the rule and evaluate their effectiveness,” and that the assessment “will strengthen the CFPB’s ability to maintain a fair, competitive, and non-discriminatory mortgage market.” The deadline for submitting comments on the RFI is 60 days after the notice is published in the Federal Register.

    Federal Issues CFPB Consumer Finance HMDA Federal Register Agency Rule-Making & Guidance Mortgages

    Share page with AddThis
  • Bank to pay $3.5 million to settle debt collection call suit

    State Issues

    On November 15, a statewide team of California district attorneys announced a $3.5 million settlement to resolve allegations concerning a Utah-based bank’s debt collection activities. The California Debt Collection Task Force handled the investigation and charged the bank and its agents with allegedly placing harassing and unreasonably excessive collection calls, sometimes even after consumers informed the bank they no longer wished to receive the calls. While the bank did not admit to wrongdoing, it agreed to pay $3.5 million, including $2 million in civil penalties and $975,000 in investigation costs. The bank will also pay $525,000 to a charitable trust fund to go towards additional consumer protection efforts. Additionally, the judgment requires the bank to “implement and maintain policies and procedures to prevent unreasonable and harassing debt collection calls to California consumers, including limiting the total number of calls to each debtor and honoring consumer requests for calls to stop.”

    State Issues Settlement Debt Collection Consumer Protection Consumer Finance

    Share page with AddThis