Last Week, This Morning

October 28, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On October 22, the Consumer Financial Protection Bureau finalized the Personal Financial Data Rights Rule to implement Section 1033 of the Dodd-Frank Act. The Bureau proposed the rule in October 2023 to move toward an "open banking" system.

Section 1033 of the Dodd-Frank Act provides that covered data providers must make available to a consumer, upon request, data in the control or possession of the data provider concerning the consumer financial product or service that the consumer obtained. The final rule implements this provision, providing specificity to the scope of data providers subject to the rule, the data that must be provided to consumers upon request, the interfaces through which data is to be made available, and how third parties may access such information through the consumer's access right.

The final rule keeps the proposed rule largely intact, but it does make notable changes, including:

• exempting from the rule depository institutions that hold total assets equal to or less than the Small Business Administration size standard according to the applicable NAICS code;
• clarifying that products and services that merely facilitate first party payments from a Regulation E account or Regulation Z credit card, which are initiated by the payee or a payee's agent like a loan servicer, are not subject to the rule;
• providing that guardians, trustees, custodians, or similar natural persons may effectuate consumer rights;
• adding a prohibition against evasion for data providers with respect to the obligation to make covered data available;
• adding a requirement to make available to consumers a truncated account number or other account identifier;
• specifying that covered data includes payment initiation information directly or indirectly held by the data provider, such as an account and routing number that could be used to initiate an Automated Clearing House transaction;
• permitting use of tokenized account numbers for payment initiation information;
• adding detail to the content required to be included in third-party authorization disclosures; and
• allowing authorized third parties to retain and use previously collected data as reasonably necessary to improve the consumer-requested product or service despite any revocation request.

The rule will be effective 60 days after publication in the Federal Register. The rule provides for compliance deadlines for data providers beginning April 1, 2026, and extending to April 1, 2030, depending on the institution's size.

Amicus Brief(ly): The proposed rule called for implementation after only six months for the largest banks, so the first compliance date of April 1, 2026, is a bit of a reprieve but not quite what the banks were hoping for. The final rule requires providers to build new data management infrastructure and implement new third-party risk management tools to address data security and safety and soundness risks created by the data sharing rule, and that will take some doing. But on the substance, the final rule generally allows consumers to direct how banks share their personal financial data and with whom. The CFPB has focused on that premise throughout the rulemaking, with the goal of putting consumers more in control of who sees their financial data and empowering them to choose and more easily change providers in the marketplace for deposit accounts and other bank products. Please note that the Bank Policy Institute and the Kentucky Bankers Association sued the CFPB just after the final rule came out, arguing (among other things) that the final rule does not do enough to safeguard consumer data when in the hands of third parties. We will watch with interest as that case plays out and whether the rulemaking has the CFPB's desired result of more competitive and decentralized consumer banking.

On October 23, the Consumer Financial Protection Bureau settled claims against Apple Inc. and its large state-chartered bank partner for allegedly violating the Consumer Financial Protection Act and the Truth in Lending Act in connection with the Apple credit card.

Apple introduced the Apple Card in partnership with the bank in August 2019. The bank extended credit and handled account servicing for the Apple Card. The Apple Card includes a "Report an Issue" feature that allows consumers to dispute transactions on the credit card. It also includes a feature called "Apple Card Monthly Installments" that allows consumers to finance the purchase of Apple products with the Apple Card through interest-free monthly installments.

According to the CFPB, Apple and its partner bank allegedly:

• failed to process or share cardholder disputes that were reported through the "Report an Issue" feature. For some disputes, Apple sent consumers a separate link in the Messages app asking for more information. Apple allegedly failed to send these disputes to the bank if the second form was incomplete. Even after the bank alerted Apple to this issue, the problem allegedly persisted;
• failed to sufficiently investigate cardholder disputes that Apple did send to the bank. Specifically, the CFPB alleged that the bank failed to consistently send acknowledgment notices within 30 days, conduct reasonable investigations, or send resolution letters explaining the determinations of its investigations within 90 days;
• misled cardholders about the Apple Card Monthly Installments feature by leading them to believe that they would automatically be enrolled in this plan when purchasing Apple products with their Apple Card. However, the CFPB alleged that many cardholders were unknowingly charged interest because they were not automatically enrolled as expected. The CFPB also alleged that, for online purchases, Apple only presented the payment plan as an option to consumers using Apple's own Safari browser; and
• misled cardholders enrolled in the Apple Card Monthly Installments plan about how the bank would apply certain refunds between the two balances those cardholders carried - the balance for the interest-free plan and the interest-bearing revolving balance on the card.

The consent orders require Apple to pay a civil money penalty of $25 million and require the bank to pay at least $19.8 million in redress to affected consumers and a $45 million civil penalty and, before introducing any new credit card product, to give the CFPB a plan for how the product will comply with the law.

Amicus Brief(ly): In this settlement, the CFPB reiterates its concerns about how providers manage consumer disputes. Following what sounds like a yearslong investigation, the CFPB hit the bank and Apple pretty hard with civil money penalties ($70M total) and consumer redress. The CFPB has been consistent with its focus on whether and how providers honor consumer disputes, whether direct or indirect, and has come down hard on perceived shortcomings by providers in that regard. This settlement also features allegations related to marketing and fulfillment, where the CFPB alleges that marketing materials misled consumers into thinking they would be automatically enrolled in 0% APR plans for certain card purchases, but that did not happen. Because these issues come up regularly in enforcement actions, providers should review and audit their dispute management procedures for adequacy and their marketing and fulfilment processes to ensure that the marketing materials accurately reflect their products and services.

The Office of Administrative Law recently approved the California Department of Financial Protection and Innovation's proposed regulation regarding registration requirements for certain persons covered under the California Consumer Financial Protection Law. The final notice and text were posted on the DFPI's website on October 22.

The OAL previously disapproved the proposed regulation on April 26, 2024, citing the DFPI's failure to comply with the clarity standard and a procedural requirement under California's Administrative Procedure Act. The DFPI submitted the revised proposed regulatory action to the OAL for review on August 29, 2024, and the OAL approved the final regulation six months following the original disapproval.

The final regulation, among other things, requires persons that offer to provide or provide "subject products" to register with the DFPI. "Subject products" means the following products or services: debt settlement services, student debt relief services, education financing, and income-based advances. Income-based advances are also known as earned wage access products. Note that the regulation provides specific definitions for each "subject product," and a close review of each definition is warranted when considering the applicability of the registration requirements.

The final regulation provides limited registration exemptions for certain licensees under the California Financing Law, California Deferred Deposit Transaction Law, and Student Loan Servicing Act.

Pursuant to the final regulation, all applications, amendments, notices, related filings, supporting documents, renewals, authorizations, assessments, and fees will be filed electronically and transmitted through the Nationwide Multistate Licensing System & Registry. On the initial application, the applicant must provide, among other things: identifying information; the business's other trade names; resident/registered agents; web addresses; contact employees; books and record information; legal status; affiliates/subsidiaries; whether it is controlled by certain financial institutions; disclosure questions; direct owners, executive officers, and indirect owners; and a management chart.

In addition, as part of the registration application, some applicants are required to submit supplemental information, including sample periodic account or activity statements used by the applicant to provide services to California residents. Income-based advance providers are required to submit information documenting the process by which California residents request and repay income-based advances and any standard notifications provided to California residents during the request and repayment process. Applicants are required to pay an application fee of $350 for the initial application and $100 for the annual renewal. The regulation also imposes an annual reporting requirement.

The final regulation becomes effective on February 15, 2025.

Amicus Brief(ly): California has been working on finalizing this rule for a while. Early next year, debt settlement providers, student debt relief services providers, education financing providers, and earned wage access providers will have to register with, and will be subject to regulation by, the DFPI. New registrants will provide forms and other information with their applications, based on the business model, and will be subject to annual reporting requirements detailed later in the rule. There is no substantive regulation of business practices in this rulemaking - California addresses those practices elsewhere. But businesses in the spaces described should prepare for the registration and annual reporting requirements soon, with less than four months to go before the effective date.

The Oklahoma New Motor Vehicle Commission recently approved new required criteria for spot delivery agreements used by dealers for deliveries of vehicles pending financing approval as well as a new form of agreement that will now include powersport vehicle deliveries and retail lease contracts, among other changes. The change to include powersport vehicles and retail lease contracts in the new spot delivery agreement form is necessitated by House Bill 3105, which will become effective November 1, 2024.

Some of the changes the ONMVC made to its spot delivery agreement form include:

• changing the title of the form from "Motor Vehicle Delivery Agreement" to the more generic "Vehicle Delivery Agreement;"
• adding "or Retail Lease Contract" in the first full paragraph in three locations;
• under the "Dealer agrees" section, changing from "within 20 days" to "within 25 days" the amount of time a consumer has to terminate the contract for lack of funding. Note - lien perfection in Oklahoma changed from 20 days to 25 days several legislative sessions ago;
• in the "Dispute Resolution" section at the bottom of the form, changing the names and web addresses for the ONMVC and the Oklahoma Used Motor Vehicle, Dismantler & Manufactured Housing Commission; and
• at the bottom of the form, adding the term "Powersport Vehicles" to the sentence: "This form has been approved for use in the Spot Delivery of Motor Vehicles and Powersport Vehicles."

The ONMVC's website will be updated soon to include the new spot delivery criteria and new Vehicle Delivery Agreement form.

Note that all forms used by a new motor vehicle dealer to facilitate the delivery of a motor vehicle or powersport vehicle pending approval of financing must be approved by the ONMVC. See 47 Okla. Stat. § 563(F). Additionally, all forms used by a used motor vehicle dealer must be approved by the OUMVDMHC. See Okla. Admin. Code § 765:10-3-1(c). Therefore, if a new or used dealer uses a form other than the approved sample Vehicle Delivery Agreement, that form must be approved by the ONMVC or OUMVDMHC, as appropriate, in advance of its use in the state.

Amicus Brief(ly): It has been a while since we have seen spot delivery regulatory updates, but here is Oklahoma with a new, more inclusive, form for dealers to use. For readers unfamiliar with the term, a "spot delivery" is a conditional delivery of a product purchased on credit - most often a motor vehicle - where the dealer has not yet secured financing for the transaction. In the event the dealer cannot place the financing with a third party, the dealer's spot delivery agreement will require the consumer to bring the vehicle back and either leave it with the dealer or renegotiate terms for financing that a third party will accept. The changes to the form leave in place the bold-faced acknowledgement of the consumer, above her signature, that the dealer has not yet secured financing for the transaction. Dealers should prepare to adopt new forms that address the updated criteria.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.