Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New Hampshire enacts SB 255, a comprehensive consumer privacy bill

    State Issues

    Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.

    The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.

    The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability.  Consumers will also be protected against discrimination for exercising any of the above rights.

    The Act contained controller responsibilities, including:

    • Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
    • not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
    • Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
    • Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
    • Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
    • Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

    The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.

    The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.

    State Issues Privacy, Cyber Risk & Data Security New Hampshire State Legislation Consumer Protection

  • CFPB sends letters of support for New York’s pending unfair and abusive conduct prohibition

    State Issues

    On March 19, the CFPB published a blog post providing input on New York State’s proposed prohibition on unfair and abusive acts, urging passage of A 7138 and S 795, companion bills that are titled the “Consumer and Small business Protection Act” (the “Acts”). The blog post followed the CFPB’s delivery of letters in support of the Act to Governor Hochul, state senators, and state assembly members.

    The Acts would expand Section 349 of New York’s general business law to prohibit unfair or abusive acts or practices, in addition to the existing prohibition on deceptive acts or practices. The Acts would also give the New York attorney general authority to bring an action for unfair, unlawful, deceptive, or abusive acts or practices, “regardless of whether or not the underlying violation is directed at individuals or businesses, is consumer-oriented, or involves the offering of goods, services, or property for personal, family or household purposes,” and would give “any person who has been injured by reason of any violation of this section” authority to bring “an action to recover one thousand dollars and his or her actual damages, if any, or both such actions, … regardless of whether or not the underlying violation is consumer-oriented, has a public impact or involves the offering of goods, services or property for personal, family or household purposes.”

    The Acts defined an act or practice as unfair “when it causes or is likely to cause substantial injury, the injury is not reasonably avoidable, and the injury is not outweighed by countervailing benefits.” They provided that an “act or practice is deceptive when the act or practice misleads or is likely to mislead a person and the person’s interpretation is reasonable under the circumstances,” and that an act or practice is abusive when “it materially interferes with the ability of a person to understand a term or condition of a product or service,” or “takes unreasonable advantage of: (A) a person’s lack of understanding of the material risks, costs, or conditions of a product or service; (B) a person’s inability to protect his or her interests in selecting or using a product or service; or (C) a person’s reasonable reliance on a person covered by this section to act in his or her interests.” The Bureau’s letters to the state governor and legislature noted that the “reasonable reliance” component of the Acts is “critical,” and like the federal prohibition that “recognizes that people often reasonably expect that certain businesses will help them make difficult financial decisions, and there is potential for betrayal or exploitation of that trust.” The CFPB also mentioned that it has brought numerous actions based on that particular component.

    The Acts provided that “standing to bring an action under this section, including but not limited to organizational standing and third-party standing, shall be liberally construed and shall be available to the fullest extent otherwise permitted by law.” Further, “[a]ny individual or non-profit organization entitled to bring an action” under the Acts “may, if the prohibited act or practice has caused damage to others similarly situated, bring an action on behalf of himself or herself and such others to recover actual, statutory and/or punitive damages or obtain other relief as provided for in” the Acts. A nonprofit also may bring an action on behalf of itself, its members, or members of the public that have been injured by a violation of the Acts. Nonprofits may seek the same remedies and damages as individuals. 

    State Issues CFPB Unfair Deceptive Abusive State Legislation New York

  • Wisconsin enacts SB 628 to protect vulnerable adults

    State Issues

    On March 22, the Governor of Wisconsin signed SB 628 (the “Act”), which “allows financial service providers to refuse or delay financial transactions when financial exploitation of a vulnerable adult is suspected.”

    The Act would authorize financial service providers to refuse or postpone financial transactions on accounts held by or benefiting a vulnerable adult—a term defined as “an adult at risk or an individual who is at least 65 years of age”—if there is a reasonable suspicion of financial exploitation. The Act would not mandate covered financial service providers, which included financial institutions, mortgage bankers, brokers, and loan originators, among others, to take such action. Additionally, financial service providers were allowed, but not obligated, to act on information from elder-adult-at-risk agencies, adult-at-risk agencies, or law enforcement regarding potential financial exploitation. The Act mandated that financial service providers give notice when transactions are refused or delayed and defined the time limits for such actions. It also permitted financial service providers to refuse to accept a power of attorney if financial exploitation is suspected. Moreover, the Act outlined a procedure for financial service providers to compile a list of contacts that a vulnerable adult authorizes, which can be used if exploitation is suspected, and authorized the financial service provider to share its suspicions with designated individuals, including those on the list. Financial service providers acting in good faith would be granted immunity from any criminal, civil, or administrative liability for actions such as (i) refusing or not refusing a financial transaction; (ii) refusing to accept or accepting a power of attorney; (iii) contacting or not contacting a person to convey suspicion of financial exploitation; and (iv) any action based on a reasonable determination related to these measures. The Act went into effect on March 23. 

    State Issues Wisconsin Consumer Protection State Legislation

  • South Dakota enacts new money transmission law, aligning the law to the Money Transmission Modernization Act

    Recently, the Governor of South Dakota, Kristi Noem, signed into law SB 58, which amended and repealed many parts of the state’s money transmission law enacted in 2023 to bring the law more into alignment with a model Money Transmitter Model Law. South Dakota was one of several states that have enacted the model law since 2022 (covered by InfoBytes here, here, here, and here), to harmonize the licensing and regulation of money transmitters between states.

    Among many other new provisions, the Act defined “money” to mean a “medium of exchange that is authorized or adopted by the United States or a foreign government” but excluded any central bank digital currency. Additionally, the Act provided for several exemptions, such as the “agent of a payee” exemption, which exempted an agent who collects and processes payment from a payor to a payee for goods and services other than money transmission itself from the Act’s coverage, under certain specified circumstances. 

    The Act also imposed a licensing regime on persons engaged in the business of money transmission and authorizes and encourages the South Dakota Director of the Division of Banking (Director) to coordinate the licensing provisions with other states and utilize the Nationwide Multistate Licensing System for the license applications, maintenance, and renewals. SB 58 amended the required surety bond amount from $100,000 to $500,000, to the greater of $100,000 or an amount equal to the licensee’s average daily money transmission liability in South Dakota for the most recent three-month period, up to a maximum of $500,000, or if the licensee’s tangible net worth exceeds 10% of total assets, $100,000.

    Once a license application is completed, the Director will have 120 days to approve or deny the application. In addition to the license application process, the Act also outlined the criteria for renewing, maintaining, and changing control of the license, as well as the licensee’s responsibility to keep records and maintain permissible investments. Notably, if a licensee is transmitting virtual currencies, then the licensee must “hold like-kind virtual currencies of the same volume as that held by the licensee but that is obligated to consumers” instead of the permissible investments otherwise listed under the Act. The Act will go into effect on July 1.

    Licensing State Issues Money Service / Money Transmitters CBDC South Dakota Digital Assets

  • Utah enshrines two acts to create cybersecurity notification guidelines

    Privacy, Cyber Risk & Data Security

    On March 19, Utah enacted SB 98 which amended the state’s online data security and privacy requirements. SB 98 will include new protocols that individuals and governmental entities must follow under its data breach reporting requirements. SB 98 will require individuals and governmental entities to provide specific information about the breach, including, among other things: (i) when the data breach occurred; (ii) when the data breach was discovered; (iii) the total number of individuals affected by the breach, with a separate count for Utah residents; (iv) the type of personal data involved; (v) a brief description of the data breach; and only for government entities (vi) the path of means by which access was granted to the system if known; (vii) the individual or entity who perpetrated the breach if known; and (viii) the actions taken by the governmental entity to mitigate the effects of the breach. Additionally, the Cyber Center will be tasked with assisting the governmental entity in responding to breaches. This assistance may include: (a) conducting or participating in an internal investigation; (b) assisting law enforcement with their investigation if necessary; (c) determining the scope of the data breach; (d) helping the entity to restore the integrity of the compromised system; and (e) providing any other necessary support in response to the breach.

    On that same day, the governor also signed into law HB 491 which enacted the Government Data Privacy Act. Similarly, the bill will describe the duties of state government agencies related to personal data privacy, including breach notification requirements, limits on data collection and use, and the ability to correct and access personal data. On structure, the bill created the Utah Privacy Governing Board to recommend changes in the state privacy policy, established the Office of Data Privacy to coordinate implementation of privacy protections, and named the Personal Privacy Oversight Commission to the Utah Privacy Commission and amended the commission’s duties. Both SB 98 and HB 491 will go into effect on May 1.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Data Breach Utah

  • Trade groups sue Colorado Attorney General to block enforcement of law limiting out-of-state bank charges on consumer credit


    On March 25, three trade groups filed a lawsuit in the U.S. District Court for the District of Colorado, against the Colorado Attorney General and the Administrator of the Colorado Uniform Consumer Credit Code to prevent enforcement of Section 3 of House Bill 23-1229, which was signed into law last year to limit out-of-state bank charges on consumer credit (the “Act”). As previously covered by InfoBytes, the Act amended the state’s Uniform Consumer Credit Code to opt out of the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) provision that allowed state-chartered banks to charge the interest allowed by the state where they are located, regardless of the location of the borrower and regardless of conflicting out-of-state law. The Act would go into effect on July 1. 

    According to the complaint, the Act “far exceed[s]” the authority Congress granted Colorado under DIDMCA and would be deemed “invalid on its face.” Plaintiffs alleged that Colorado ignored the federal definition of where a loan was deemed to be “made,” imposing “its state interest-rate caps on any ‘consumer credit transaction[] in’ Colorado,” including “any loan to a Colorado consumer by any state-chartered bank that advertises on the internet in Colorado.” Plaintiffs further alleged that the Act’s opt out “is preempted by DIDMCA and violates the Supremacy Clause of the U.S. Constitution by attempting to expand the federally granted opt-out right to loans not actually ‘made in’ Colorado under federal law,” and “violates the Commerce Clause because it will impede the flow of interstate commerce and subject state-chartered banks to inconsistent obligations across different states.” The Plaintiffs also alleged that Colorado’s stated goal of combatting “predatory, payday-style lending” will not be accomplished through the opt out, as plaintiffs’ members are not payday lenders and offer “a wide variety of useful, familiar, everyday credit products” that “are provided at a range of rate and fee options, which sometimes—to account for credit risk—are above Colorado’s rate and fee caps, but within the rate caps allowed by DIDMCA.” Furthermore, plaintiffs warn that the Act “will prevent Plaintiffs’ members from offering these mainstream products to many Colorado consumers,” while “national banks will still offer these very same loan products to Colorado residents at interest rates in excess of Colorado’s interest-rate and fee caps.” Plaintiffs urged the court to issue a ruling stating that the Act “is void with respect to loans not ‘made in’ Colorado as defined by applicable federal law” and to enjoin Colorado from enforcing or implementing the Act with respect to those loans.

    Courts State Issues Colorado State Attorney General Consumer Protection Consumer Finance Interest Rate DIDMCA

  • Nacha’s new rules intends to reduce business fraud that uses credit-push payments


    On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.” 

    As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.

    The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit. 

    The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.

    Fintech NACHA ACH Fraud

  • Borrower’s RESPA claim stays afloat in District Court


    The U.S. District Court for the Southern District of Ohio, Eastern Division, granted in part and denied in part defendant mortgage servicer’s motion to dismiss claims for RESPA Qualified Written Requests violations. Defendant approved plaintiffs for a trial payment plan for their mortgage loan. After plaintiffs completed that plan, defendants sent an initial modification agreement with a misspelled plaintiff name. Plaintiffs notified defendant of the error but continued making payments pursuant to the initial modification agreement. Defendant then sent a corrected version which plaintiffs signed, and defendants recorded with the Delaware County Recorder’s office. However, defendants did not update the new terms in its billing system and, after realizing the agreement contained terms different from what it intended, sent a third version of the modification agreement to plaintiffs with an adjusted principal balance and interest rate. Plaintiffs refused to sign the third modified agreement, and defendants refused to honor the recorded version or accept payments, stating that plaintiffs were in default on their mortgage.

    In making its judgement, the court considered how defendant handled plaintiffs’ qualified written requests (QWR). Regarding defendant’s response to plaintiffs’ notice of error, plaintiffs claimed defendant did not conduct a reasonable investigation, inadequately explained the discrepancy between the modification agreements’ interest rates and fee charges to their account, and entirely ignored the change in principal balances between the initial and the recorded modification agreements. Defendant argued that its conclusion, that no enforceable loan modification existed, would not change had it conducted the investigation. The court found that defendant could not bypass its responsibility to conduct a reasonable investigation, and that defendant did not address the difference in principal balance between the initial and recorded modification agreements.

    On the issue of defendant’s response to plaintiffs’ request for information (RFI), plaintiffs claimed defendant’s response did not address their claims of missing records, nor did it mention that such records were unavailable. Plaintiffs also claimed defendant failed to produce requested documents. Refuting defendant’s argument that plaintiffs did not “even hint” that they suffered damages from the RFI portion of the QWR, the court found that plaintiffs’ damages were legally cognizable. However, the court dismissed plaintiffs’ claim as to the RFI because it did not satisfy the necessary standing requirements. 

    Courts RESPA Ohio Qualified Written Request RFI Mortgages Consumer Finance

  • Washington State Attorney General obtains civil penalties against debt collection agency for medical debt collection practices


    On March 19, the Washington State Attorney General (AG) obtained an order from the King County Superior Court providing that a debt collection agency must pay civil penalties for allegedly failing to comply with the Washington Collection Agency Act and Consumer Protection Act when collecting medical debts, specifically by failing to provide the required disclosures in its consumer communications. The court found that the debt collection agency sent 82,729 debt collection notices to medical debtors without the necessary disclosures, which included notification of the debtor’s right to request the original or redacted account number assigned to the debt, the date of last payment, and an itemized statement. The notices also did not inform the debtor that the debtor may be eligible for charity care from the hospital or provided contact information for the hospital. According to the AG’s Office, the collection agency “unlawfully collected payments from … patients without providing critical information about their rights when faced with medical debt. By excluding the legally required disclosures about financial assistance in its collection letters, [the collection agency] created barriers that kept patients who likely qualified for financial assistance from learning about and accessing help with their hospital bills.”

    The court ordered a civil penalty of $10 per violation for the debt collection agency’s 82,729 alleged violations of the state Consumer Protection Act, totaling $827,290. Additionally, the court ordered the debt collection agency to reimburse the AG’s office for the costs of bringing the case, which is estimated to exceed $400,000 and to update its practices to comply with Washington law. In determining the civil penalty amount, the court found, among other things, that the debt collection agency acted in bad faith by “fail[ing] to take basic compliance steps,” and “fail[ing] to obtain the correct license … maintain an office in the state, and … include the mandatory disclosures on medical and hospital debt.”

    As previously covered by InfoBytes, the AG successfully sued the nonprofit health system in early February, entering a consent decree pursuant to which the health system must pay $158 million in patient refunds, debt forgiveness, and AG costs.

    Courts State Issues State Attorney General Debt Collection Consumer Protection Act

  • 5th Circuit reverses judgment in FDCPA case


    Recently, the U.S. Court of Appeals for the Fifth Circuit ordered an FDCPA case to be reversed and remanded after the U.S. District Court for the Eastern District of Louisiana granted a motion for summary judgment. The plaintiffs filed a putative class action alleging that the defendant law firm violated the FDCPA for misrepresenting judicial enforceability of a debt in their dunning letters. The case concerned Congress’s “Road Home” grant program, which was created to provide grants to repair and rebuild homes in the aftermath of Hurricanes Katrina and Rita. All Road Home grant recipients were required to disclose repair benefits previously received. The named plaintiffs in this case applied for and received Road Home grants but failed to disclose repair benefits previously received from FEMA or a privacy insurance carrier. In March 2008, the State’s contractor, ICF, noticed the potential double payments to the two named plaintiffs and placed an internal flag on their accounts in the Road Home database. After a decade, the defendant law firm was engaged to help recover these double payments. The defendants sent a dunning letter demanding repayment in 90 days or the defendants “may proceed with further action against you, including legal action.” The dunning letter further stated that “you may be responsible for legal interest from judicial demand, court costs, and attorneys fees if it is necessary to bring legal action against you.” The plaintiffs filed suit under Section 1692e of the FDCPA and, in an amended complaint, alleged the defendants collected or attempted to collect time-barred debts, failed to itemize the alleged debts, and threatened to assess attorneys’ fees without determining if that right existed. The district court granted summary judgment to the defendants.

    The 5th Circuit reversed on appeal. Concerning the first allegation of collecting or attempting to collect a time-barred debt, the court reasoned that while it does not violate the FDCPA to collect on a time-barred debt, a debt-collector “can run afoul of the FDCPA by threatening judicial action while completely failing to mention that a limitations period might affect judicial enforceability.” Further, the appellate court found the dunning letters were “untimely even under the most liberal, 10-year time window” as the plaintiffs breached their agreements when they closed on their Road Home grants or when the State of Louisiana was provided actual notice of the alleged duplicative payments, both of which occurred more than 10 years before the dunning letters were received. The court also found that the defendants mischaracterized one plaintiff’s debt as the dunning letter said the amount owed was for insurance proceeds when it included a 30 percent penalty for lack of flood insurance. Finally, the court explained that because there was no lawful basis to recover attorneys fees, the defendants violated the FDCPA. 

    Courts FDCPA Louisiana FEMA


Upcoming Events