March 11, 2024
Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)1” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.
On March 5, New York State Attorney General Letitia James sued more than 30 companies and individuals for operating an alleged predatory lending scheme by making fraudulent loans to small businesses disguised as merchant cash advances. According to the AG’s press release announcing the suit, the defendants provided merchants with contracts that described each transaction as a purchase of a portion of a merchant’s future revenues, with flexible payment amounts and open-ended terms. In fact, however, the AG alleged that the defendants debited fixed amounts from the merchants’ bank accounts daily over short repayment terms. The AG claimed that the defendants promised to reconcile the daily payments to ensure that they never exceeded a set percentage of the merchants’ receipts, but the defendants used fraudulent measures to ensure that merchants almost never qualified for refunds. According to the AG, instead of being MCAs, the transactions were fraudulent short-term loans with interest rates as high as 820% per year.
In the Verified Petition, which was filed in the Supreme Court of the State of New York, County of New York, and is almost 300 pages long, the AG is seeking at least $1.4 billion in interest and fraudulent fees that were collected from merchants, as well as a court order barring the defendants from continuing their illegal practices and a lifetime ban for Yellowstone’s founder from the MCA industry. The press release noted that, before filing this lawsuit, the AG reached settlements with five individuals involved in this scheme, which included payment of $3.37 million for impacted merchants and a ban from the MCA industry.
|
On March 5, the Consumer Financial Protection Bureau announced that it finalized a rule to limit penalty fees on credit cards issued by so-called "Larger Card Issuers" (issuers that, together with their affiliates, have one million or more open credit card accounts). The new rule modifies Regulation Z and becomes effective 60 days after publication in the Federal Register.
Reg. Z prohibits card issuers from imposing fees for violating the terms or other requirements of a credit card account under an open-end (not home-secured) consumer credit plan, such as a fee for a late payment, unless the fee is proportionate to the card issuer's cost for the violation or complies with safe harbors set forth in Section 52 of Reg. Z. Section 52 currently sets a safe harbor of $30 generally for penalty fees, except that it sets forth a safe harbor of $41 for each subsequent violation of the same type that occurs during the same billing cycle or in one of the next six billing cycles.
The CFPB's final rule repeals the current late fee safe harbor dollar amount for Larger Card Issuers and adopts a late fee safe harbor amount of $8. The final rule also eliminates a Larger Card Issuer's ability to charge a higher late fee safe harbor amount for subsequent violations of the same type that occur during the same billing cycle or in one of the next six billing cycles. In addition, the provision in Reg. Z that provides for annual adjustments to the safe harbor dollar amounts to reflect changes in the Consumer Price Index will not apply to the $8 safe harbor amount for late fees.
The final rule does not affect "Smaller Card Issuers" (issuers that, together with their affiliates, had fewer than one million open credit card accounts for the entire preceding calendar year). For these card issuers, the rule clarifies that the safe harbors continue to apply and that the safe harbor amounts for violations are increased to $32 and to $43 for subsequent violations.
On March 7, the U.S. Chamber of Commerce, three bank trade groups in Texas, the American Bankers Association, and the Consumer Bankers Association sued the CFPB and its director, Rohit Chopra, in the U.S. District Court for the Northern District of Texas challenging the CFPB’s final rule.
|
The Texas Finance Commission recently amended its rules relating to credit access businesses (“CABs”). Specifically, the new rules amend the requirements for filing a new CAB license application, the Office of Consumer Credit Commissioner’s denial of a CAB license application, the OCCC’s review of the criminal history of a CAB license applicant or licensee, and the model forms for the consumer cost disclosures used by CABs.
The Commission and the OCCC will allow a delayed implementation date of September 1, 2024, for all licensees to provide the amended versions of the cost disclosures. From the rule's effective date of March 7, 2024, through August 31, 2024, licensees may provide consumers with either the previous versions or the amended versions of the disclosures.
|
On March 6, New Hampshire Governor Chris Sununu signed Senate Bill 255, which enacts the state’s comprehensive consumer data privacy law. New Hampshire is the latest state to implement a comprehensive consumer data privacy law, following New Jersey, California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Texas, and Oregon. The new law is effective January 1, 2025.
The new law applies to persons that conduct business in New Hampshire or persons that produce products or services that are targeted to residents of New Hampshire that during a one-year period: (1) controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. Certain entities and certain information and data are not subject to the new law, including financial institutions and data subject to the federal Gramm-Leach-Bliley Act.
Under the new law, a consumer has the right to: (1) confirm whether or not a controller is processing the consumer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; (2) correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data; (3) delete personal data provided by, or obtained about, the consumer; (4) obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret; and (5) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, except as otherwise provided for in the law, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
A New Hampshire consumer may designate an authorized agent to exercise the rights of such consumer to opt out of the processing of the consumer's personal data (and a parent or legal guardian may exercise such consumer rights on a child's behalf).
The new law also delineates the responsibilities of controllers and processors of consumers’ personal data and requires a controller to conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer.
The attorney general has exclusive authority to enforce violations of the new law.
|
On March 7, the Washington state legislature passed Senate Bill 6025, titled "Predatory Loan Prevention Act." The PLPA amends the Washington Consumer Loan Act by incorporating an anti-evasion provision. The bill provides that "a person may not engage in any device, subterfuge, or pretense to evade the requirements of the [CLA] including, but not limited to:
The PLPA declares that an evasion of the permitted interest rate provisions under the CLA constitutes a violation of the CLA.
The PLPA purports to incorporate the predominant economic interest and the totality of the circumstances standards in determining whether the lender is a "true lender." It provides that "[i]f a loan exceeds the rate permitted under the [CLA,] a person is a lender making a loan subject to the requirements of the [CLA] notwithstanding the fact that the person purports to act as an agent, service provider, or in another capacity for another person that is exempt from the [CLA] if, among other things:
The PLPA provides an exemption for non-recourse litigation funding. It states that the CLA does not apply to "[a]ny person that extends money or credit to another person on a nonrecourse basis in exchange for a contingent right to receive an amount of the potential proceeds of any award, judgment, settlement, verdict, or other resolution from a pending legal action." It also states that the exemption does not apply to "any person that requires repayment in the event the person does not prevail in their legal proceeding."
The PLPA also changes the coverage under the CLA to include any loan made to a "person physically located" in Washington, as opposed to any loan made to a "resident" of Washington under current statutory language.
The PLPA further clarifies that a person may not engage in any activity subject to the CLA without first obtaining and maintaining a license. If a person fails to obtain and maintain a license as required under the CLA, loans in which that person is involved after the effective date, if the loans are not residential mortgage loans, are null, void, uncollectable, and unenforceable.
The PLPA will not apply to any loans issued prior to the effective date of the PLPA unless the loan is renegotiated or modified after the effective date. Because it does not provide a specific effective date, the PLPA, once signed into law by the governor, will take effect 90 days after the end of this legislative session.
|