Last Week, This Morning

May 28, 2024

Hope everyone had a wonderful Memorial Day weekend! Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)1” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or

Buy Now, Pay Later Providers Now Considered Credit Card Issuers Under Reg. Z

On May 22, the Consumer Financial Protection Bureau issued an interpretive rule confirming that “lenders that issue digital user accounts that consumers use from time to time to access credit products to purchase goods and services are ‘card issuers’ under Regulation Z, including when those products are marketed as Buy Now, Pay Later. Such lenders are ‘card issuers’ because such digital user accounts are ‘credit cards’ under [Reg.] Z.” Therefore, BNPL loans are now subject to certain provisions of Reg. Z applicable to credit cards. In particular, according to the interpretive rule, BNPL lenders are subject to Reg. Z provisions governing credit card billing disputes, refund rights, and periodic statements. BNPL lenders must now investigate disputes initiated by consumers and pause payment requirements during the investigation, provide refunds to consumers who return products or cancel services, and provide billing statements.

For purposes of the interpretive rule, BNPL refers to a “consumer loan for a retail transaction that is repaid in four (or fewer) interest-free installments and does not otherwise impose a finance charge. The loan generally requires an initial down payment of 25 percent, followed by three additional installments due every two weeks.”

Even though it is not required under the Administrative Procedure Act, the CFPB is seeking public comment on the interpretive rule and may make revisions as appropriate after reviewing any feedback. Comments must be received by August 1, 2024.

The interpretive rule is effective 60 days after its publication in the Federal Register.

Amicus brief(ly): It seems odd to crowbar BNPL transactions into the credit card regulations under the Truth in Lending Act, but that’s what is happening. Where there is a will, there is a way. You can follow the logic through the discernible strains of credulity, and you sort of have to shrug at the analysis, because there is something to it. But the process the CFPB is following with this interpretive rule and voluntary comment period should not be confused with a true administrative rulemaking – it appears that would have taken too long in the context of an industry enjoying rapid growth. Comments from providers resisting the idea that a BNPL transaction is a “credit card” arrangement logically and legally are unlikely to prevail, but it is worthwhile to submit those comments to try and inform future CFPB actions related to BNPL. Providers should review the rule and be mindful of the consumer concerns about refunds and billing rights that appear to be the impetus behind this regulatory action.
CFPB Sues FinTech Company for Alleged Deceptive Practices and for Allegedly Misrepresenting Loan Costs

The Consumer Financial Protection Bureau recently filed a lawsuit in the U.S. District Court for the Central District of California against Solo Funds, Inc., a financial technology company that facilitates small-dollar, short-term loans, alleging violations of the Consumer Financial Protection Act and the Fair Credit Reporting Act. Specifically, the CFPB alleged that the company all but requires consumers to pay fees styled as “tips” or “donations,” which result in a high cost of borrowing that is not properly disclosed or avoidable. The CFPB alleged that the company engaged in deceptive practices when it misrepresented certain terms about the total cost of credit in its loan disclosure documents. Additionally, the CFPB alleged that the company engaged in unfair and deceptive practices when it serviced and collected on loans that were void or uncollectible because the loans were made without required state licenses or in excess of state usury caps. Finally, the CFPB alleged that the company coerced payments by threatening to provide negative credit information to credit reporting agencies, even though the company did not actually engage in credit reporting.

The complaint seeks damages in the form of a permanent injunction against the company, monetary relief including restitution, disgorgement, and a civil penalty.

Amicus brief(ly): Sometimes innovation in credit products yields thoughtful regulation, as in the case of regulatory “sandboxes” that allow providers of new products that do not fit neatly into existing regulatory schemes to work with regulators to arrive at sensible regulations, and sometimes, as appears to be the case here, innovation in credit products yields lawsuits. Peer-to-peer lending is not widespread, and Solo Funds has come up with a novel way to facilitate this type of lending with features designed to avoid usury and other regulations. As evidenced by the lawsuit, the CFPB was not having it, even though it appears that Solo Funds defined the transaction fees specifically and narrowly to avoid the appearance that they were “interest.” But the CFPB characterizes those transaction fees as interest and attacks the loans arranged through Solo Funds as unlawful under state laws, and in some cases void and uncollectible. This is just the beginning of this case, so we’ll see how Solo Funds argues its position with respect to these peer-to-peer loans and whether it prevails.
CFPB Issues Consent Order Against Student Loan Debt Relief Telemarketer

On May 20, the Consumer Financial Protection Bureau announced a settlement with Western Benefits Group, LLC, a telemarketing company that offers student loan debt relief services, to resolve allegations that it violated the Telemarketing Sales Rule and the Consumer Financial Protection Act. The CFPB alleged that the company violated the TSR and the CFPA by engaging in deceptive acts and practices in the marketing, sale, and administration of debt relief services and by engaging in deceptive telemarketing practices. Specifically, the CFPB alleged that the company misrepresented that it was affiliated with the U.S. Department of Education; that fees paid to the company would go towards the customer’s student loan balance; and that the company would help customers consolidate their loans, reduce their monthly payments, or achieve loan forgiveness. The CFPB alleged that customers who enrolled in the company’s debt relief services were charged fees from $99.95 to $159.95, as well as monthly fees, regardless of whether the company was able to receive results on the customer’s behalf. The CFPB alleged that these were advance fees in violation of the TSR.

The consent order requires the company to permanently cease operations, void all consumer agreements, and pay a $400,000 penalty to the CFPB’s victims relief fund.

Amicus brief(ly): By virtue of the fact that the parties negotiate the terms of consent orders, the company that is the subject of the consent order virtually never admits (or denies – remember, these are negotiated) any of the facts alleged, other than the facts that allow the government agency to establish jurisdiction over the company and the subject matter. That is the case in this consent order, but if any of the alleged facts are true, then there were some pretty apparent law violations happening. The debt relief company allegedly misled consumers about a contractual relationship with the federal government and told consumers that they would apply the “First Work Fees” and monthly service fees to pay down student loans, but they did not. And then, if the alleged facts are true, the company charged advance fees before providing any services, which violates a known tenet of the TSR. Because these alleged violations are apparent if the facts alleged are true, the only real takeaway for telemarketers is to understand that consumers who pay money for services that do not live up to the sales pitch will complain to the government, and the government will listen and ask questions. If the facts line up the way the alleged facts lined up in this case, you can expect to go out of business like the telemarketer in this case.
Colorado Enacts Artificial Intelligence Act

On May 17, Colorado enacted Senate Bill 205 – the Colorado Artificial Intelligence Act – to address the potential risk of “algorithmic discrimination” by developers and deployers of high-risk artificial intelligence systems (“high-risk AI system”).

Under the new law, a “developer” is a person doing business in Colorado that develops or intentionally and substantially modifies an AI system, and a “deployer” is a person doing business in Colorado that deploys a high-risk AI system. A high-risk AI system includes a system that makes, or is a substantial factor in making, a “consequential decision,” which is defined as a decision in specified areas involving consumers – including employment, education, financial services, healthcare, housing, insurance, government services, or legal services – that has a material or significant effect on the provision, costs, or terms of a service or opportunity. “Algorithmic discrimination” means “any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals [that belong(s) to a protected class under Colorado or federal law].”

SB 205 requires a developer of a high-risk AI system to use reasonable care to avoid algorithmic discrimination. There is a rebuttable presumption that a developer used reasonable care if the developer complied with specified provisions in the new law, including:

  • making available to a deployer of the high-risk AI system a statement disclosing specified information about the system;
  • making available to a deployer of the high-risk AI system information and documentation necessary to complete an impact assessment of the system;
  • making a publicly available statement summarizing the types of high-risk AI systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer and how the developer manages any known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of each of these high-risk AI systems; and
  • disclosing to the state attorney general and known deployers of the high-risk AI system any known or reasonably foreseeable risk of algorithmic discrimination, within 90 days after the discovery or receipt of a credible report from the deployer, that the high-risk AI system has caused or is reasonably likely to have caused.

SB 205 also requires a deployer of a high-risk AI system to use reasonable care to avoid algorithmic discrimination. There is a rebuttable presumption that a deployer used reasonable care if the deployer complied with specified provisions in the new law, including:

  • implementing a risk management policy and program for the high-risk AI system;
  • completing an impact assessment of the high-risk AI system;
  • annually reviewing the deployment of each high-risk AI system to ensure that the system is not causing algorithmic discrimination;
  • notifying a consumer of specified items if the high-risk AI system makes a consequential decision concerning a consumer;
  • providing a consumer with an opportunity to correct any incorrect personal data that a high-risk AI system processed in making a consequential decision and providing a consumer with an opportunity to appeal an adverse consequential decision concerning the consumer;
  • making a publicly available statement summarizing the types of high-risk AI systems that the deployer currently deploys, how the deployer manages any known or reasonably foreseeable risks of algorithmic discrimination that may arise from deployment of each of these high-risk systems, and the nature, source, and extent of the information collected and used by the deployer; and
  • disclosing to the AG the discovery of algorithmic discrimination, within 90 days after the discovery, that the high-risk AI system has caused or is reasonably likely to have caused.

Developers and deployers of AI systems that interact with consumers must ensure that each consumer is aware that he or she is interacting with an AI system.

The new law provides an affirmative defense to developers or deployers involved in a potential violation of the law’s provisions if they are in compliance with specified nationally or internationally recognized risk management frameworks for AI systems and they take specified measures to discover and cure violations. The new law grants the AG rulemaking authority to implement and enforce its requirements.

SB 205 is effective on February 1, 2026.

Amicus brief(ly): It is a good thing the effective date of this bill is more than 18 months away. While we anticipate more of this kind of legislation, even at the federal level, this is the first-of-its-kind (Connecticut introduced legislation this session but did not pass it) attempt by a state to regulate the potentially discriminatory impacts of AI. The law focuses on AI developers and deployers, so it does not apply to everyone, and it holds a place for further exemptions in the case of potential future federal regulation of AI. The focus of the law is consumer protection, angling to manage the potential for “algorithmic discrimination” resulting from the use of AI. To that end, the law requires businesses subject to the law to disclose to Colorado consumers when they are interacting with AI systems, which is becoming increasingly difficult to detect with the naked eye. We will be watching for more laws like these as the use of AI continues to increase across markets.
Colorado Enacts Law Governing Mortgage Servicer’s Disbursement of Insurance Proceeds to Borrower in Event Property Is Damaged

On May 17, Colorado enacted House Bill 1011, which requires a mortgage servicer to disclose certain information to a borrower concerning the disbursement of insurance proceeds to the borrower. Under the new law, upon the request of a borrower, a mortgage servicer must promptly disclose to the borrower the specific conditions under which the servicer will disburse insurance proceeds to the borrower in the event that a residential property that is the subject of a mortgage is damaged or destroyed and an insurance company pays insurance proceeds to satisfy a claim associated with such damage or destruction. In the event that the property is damaged or destroyed, a borrower, after consulting with the borrower’s contractor, must create a written repair plan or a written rebuild plan and submit the plan to the mortgage servicer for approval. The servicer must indicate approval or disapproval within 30 days after receiving the plan. The plan must include specific milestones that require the servicer to disburse insurance proceeds in certain amounts upon reaching those milestones. The new law also requires a servicer to disburse insurance proceeds to a borrower in specified amounts depending on the amount of the insurance proceeds and whether the borrower is delinquent in making payments on the mortgage.

In addition, HB 1011 requires a mortgage servicer to hold in an interest-bearing account any insurance proceeds that the mortgage servicer does not immediately disburse to a borrower. A mortgage servicer must ensure that any interest that is credited to the account is credited and disbursed to the borrower.

Finally, HB 1011 imposes some more general requirements on mortgage servicers, including a requirement to, immediately upon commencing the servicing of a mortgage and at any time thereafter at the request of the borrower: (1) disclose to the borrower the interest rate associated with the mortgage, and (2) provide the borrower with a primary point of contact for the servicer. Mortgage servicers must also retain for at least four years all written and electronic communications between the servicer and the borrower.

Amicus brief(ly): While disclosure requirements typically feel burdensome to regulated entities, the impact of this new disclosure requirement in Colorado should help clarify for a consumer the path to disbursement of insurance proceeds in the unfortunate event of serious damage to the consumer’s residence. The repair or rebuilding process can be very daunting, so this disclosure requirement should help consumers understand how and when the servicer will disburse the insurance proceeds, which should considerably ease the burden of the mortgage servicer whose role involves talking the consumer through that process. This is a sensible bill.
Minnesota Makes Failure to Disclose Mandatory Fees or Surcharges in Advertising Deceptive Trade Practice

On May 20, the Minnesota governor enacted House Bill 3438, which makes it a deceptive trade practice to advertise, display, or offer a price for goods or services that does not include all mandatory fees or surcharges. “Mandatory fee,” under the new law, “includes but is not limited to a fee or surcharge that: (1) must be paid in order to purchase the goods or services being advertised; (2) is not reasonably avoidable by the consumer; or (3) a reasonable person would expect to be included in the purchase of the goods or services being advertised.” “Mandatory fee” does not include taxes on the sale, use, purchase, receipt, or delivery of the goods or services, and a person may charge a reasonable postage or shipping fee that is actually incurred by the consumer. The new law does not prevent a person from offering goods or services at a discounted price from the advertised, displayed, or offered price.

Among other exemptions, the new law exempts fees authorized by law that are related to the purchase or lease of a motor vehicle and charged by a dealer, as defined, and any fees, surcharges, or other costs associated with settlement services, as defined in the Real Estate Settlement Procedures Act.

The new law is generally effective on January 1, 2025.

Amicus brief(ly): Regardless of how regulated entities feel about the requirement to disclose mandatory fees in advertisements that include a price, that appears to be the general direction in which we are headed. The exclusions for vehicle finance and certain mortgage transactions are understandable because there are already significant disclosure rules under federal and state law that address what these laws consider “hidden” costs that could materially impact a consumer’s decision about whether to commit to the transaction or consider shopping. Based on this new Minnesota law and other laws like it, when there is doubt about how best to conduct price advertising, erring on the side of an inclusive disclosure of the price (or cost of credit) that includes mandatory fees may feel like “overdoing it,” but it will avoid law violations and more general claims that certain price advertisements are misleading.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.