InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Buckley Special Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.
The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.
* * *
Click here to read the full special alert.
If you have questions about the act or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.Credit reporting agency agrees to cybersecurity corrective action with eight state regulators
On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.
The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).
Connecticut governor signs amendments to state banking statutes
On June 14, the governor of Connecticut signed HB 5490, which makes various amendments to the state’s banking statutes, including standardizing various requirements across several mortgage and nonmortgage licensing types. Among other things, the law (i) extends the commissioner’s authority over certain mortgage-related licensees (mortgage lenders, brokers, and originators; correspondent lenders, and processors or underwriters) to include small loan lenders, sales finance companies, sales finance companies, mortgage servicers, money transmitters, check cashers, debt adjustors, debt negotiators, consumer collection agencies, student loan servicers, and lead generators; (ii) outlines provisions concerning the commissioner’s authority to conduct investigations and examinations; (iii) establishes that for loans under $5,000, the maximum annual percentage rate (APR) shall not exceed the lesser of 36 percent or the maximum APR for interest “permitted with respect to the consumer credit extended under the Military Lending Act”; and (iv) requires sales finance companies to acquire, maintain, and report to the commissioner certain demographic information on ethnicity, race, and sex for any retail installment contract or application for such contract covering the sale of a motor vehicle. The law is effective October 1, with the exception of specified provisions.
New York regulation requires all credit reporting agencies to register with NYDFS
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)
According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”
District Court grants preliminary approval of TCPA class action settlement
On June 25, the U.S. District Court for the Northern District of California issued an order preliminarily approving a class action settlement between class members and a student loan management enterprise (defendants) accused of violating the Telephone Consumer Protection Act (TCPA) by using an automatic telephone dialing system (ATDS) to place calls to cellular telephones without receiving prior express written consent. Specifically, the plaintiff alleged that the defendants used a phone number previously used by the Department of Education (Department) to contact borrowers and which was listed on the Department’s forms, website, and billing statements, so that when class members returned calls under the impression that they were contacting the Department, the defendants collected and stored the phone numbers. The plaintiff further alleged that the stored numbers were used by the defendants to place calls using an ATDS for the purpose of “mislead[ing] class members into paying for student loan forgiveness and payment programs that were otherwise offered for free by the federal government.” According to the order, preliminarily approval of the settlement prevents possible further litigation and, given the current “‘wind-down’ mode” of one of the defendants, prevents a risk that class members seeking relief would be unable to collect on a large judgment. Under the terms of the settlement, the defendants have agreed to establish a $1.1 million settlement fund, as well as to injunctive relief that prohibits the defendants from using an ATDS to contact individuals without first receiving prior written consent.
Agencies release 2018 list of distressed, underserved communities
On June 25, the OCC, together with the Federal Reserve and the FDIC, released the 2018 list of distressed or underserved communities where revitalization or stabilization efforts by financial institutions are eligible for Community Reinvestment Act (CRA) consideration. According to the joint release from the agencies, the list of distressed nonmetropolitan middle-income geographies and underserved nonmetropolitan middle-income geographies are designated by the agencies pursuant to their CRA regulations and reflect local economic conditions, including changes in unemployment, poverty, and population. For any geographies that were designated by the agencies in 2017 but not in 2018, the agencies apply a one-year lag period, so such geographies remain eligible for CRA consideration for another 12 months.
Similar announcements from the Federal Reserve and the FDIC are available here and here.
OFAC revokes JCPOA-related General Licenses
On June 27, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an announcement revoking Iran-related General Licenses H and I (GL-H and GL-I) following President Trump’s May 8 withdrawal from the Joint Comprehensive Plan of Action. In conjunction with these changes, OFAC amended the Iranian Transactions and Sanctions Regulations to authorize certain wind-down activities through August 6 (GL-I) and November 4 (GL-H) related to, among other things, letters of credit and brokering services. In addition OFAC released updated FAQs related to the May 8 re-imposition of nuclear-related sanctions.
See here for continuing InfoBytes coverage of actions related to Iran.
New Hampshire enacts amendments to banking and consumer credit laws
On June 8, the governor of New Hampshire signed HB 1687, to clarify the applicability of various state banking and consumer credit laws. Among other changes, the law (i) clarifies information required to be provided in a note, agreement, or promise to pay that is entered into by a small, title, or payday lender; (ii) prohibits small, title, or payday lenders from taking “any note, agreement, or promise to pay in which blanks are left to be filled in after the loan is made”; and (iii) makes certain other clarifying technical updates. The law is effective August 7.
21 Attorneys General oppose “Madden fix” legislation
On June 27, the Colorado and New York Attorneys General led a coalition of 21 state Attorneys General in a letter to congressional leaders opposing HR 3299 (“Protecting Consumers’ Access to Credit Act of 2017”) and HR 4439 (“Modernizing Credit Opportunities Act”), which would effectively overturn the 2015 decision in Madden v. Midland Funding, LLC. Specifically, H.R. 3299 and H.R. 4439 would codify the “valid-when-made” doctrine and ensure that a bank loan that was valid as to its maximum rate of interest in accordance with federal law at the time the loan was made shall remain valid with respect to that rate, regardless of whether the bank subsequently sells or assigns the loan to a third party.
The letter argues that the legislation “would legitimize the efforts of some non-bank lenders to circumvent state usury law” and it was not Congress’ intention to authorize these arrangements with the creation of the National Bank Act. In support of their position, the Attorneys General cite to a 2002 press release by the OCC and the more recent OCC Bulletin 2018-14 on small dollar lending, which stated the agency “views unfavorably an entity that partners with a bank with the sole goal of evading a lower interest rate established under the law of the entity’s licensing state(s).” (Previously covered by InfoBytes here.) The letter also refers to an 1833 Supreme Court case, Nichols v. Fearson, which held that a “valid loan is not invalidated by a later usurious transaction involving that loan” but was not relevant to the decision in Madden because the borrower’s argument related to preemption. Ultimately, the Attorneys General conclude the legislation would erode an “important sphere of state regulation” as state usury laws have “long served an important consumer protection function in America.”
9th Circuit holds that judicial foreclosure proceedings to collect unpaid HOA fees is debt collection under FDCPA
On June 25, the U.S. Court of Appeals for the 9th Circuit held that judicial foreclosure proceedings to collect delinquent assessments and other charges that were owed to a homeowners association (HOA) represented by a law firm that was also a defendant in the case constitute “debt collection” under the Fair Debt Collection Practices Act (FDCPA). The decision results from unpaid assessments owed to the HOA that had previously been settled in two prior suits. However, the homeowner (plaintiff-appellant) defaulted on both settlement agreements, and foreclosure proceedings commenced due to an acknowledgment contained within the second agreement, which recognized the HOA’s right to collect the debt by foreclosing on and selling her property. According to the order, the 9th Circuit first drew a distinction between judicial foreclosures and nonjudicial foreclosures. Nonjudicial foreclosures, the 9th Circuit opined, are not debt collections under the FDCPA because, under California law, they present no possibility of a deficiency judgment against the homeowner and recover nothing from the homeowner. However, the Court held that in this case, the judicial foreclosure created the possibility for a deficiency judgment against the homeowner and subsequent collection of money. Furthermore, since the law firm regularly collected debts owed to others, it was a debt collector, and the lower court’s contrary decision “cannot be reconciled with the language of the FDCPA.” The 9th Circuit reversed the lower court’s ruling that the defendants were not engaged in “debt collection” as defined by the FDCPA.
However, because the lower court granted summary judgment to the defendants, it did not assess whether the plaintiff-appellant had suffered any damages from her claim that the defendants “misrepresented the amount of her debt and sought attorneys’ fees to which they were not entitled” during judicial proceedings. The 9th Circuit held that the law firm’s application for a writ of special execution included “accruing attorney fees,” implying that the fees had been approved by a court, as required by state law, when they had not. The 9th Circuit noted that the state trial court’s subsequent approval of the fee request did not mean the representation was accurate when it was made. The 9th Circuit remanded to allow the lower court to determine what damages, if any, were due the homeowner due to this violation.
In a separate memorandum disposition, the 9th Circuit, however, affirmed in part the lower court’s order granting the defendants’ motion for summary judgment concerning the plaintiff-appellant’s time-barred claims, holding that “even the ‘least sophisticated debtor’ would not likely be misled by the communication—and lack of communication—at issue here, as Plaintiff cannot have reasonably believed that she had paid off the debt in question.”