Last Week, This Morning

April 7, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

HUD Removes Ability of Non-Permanent Residents to Obtain FHA-Insured Mortgages

The U.S. Department of Housing and Urban Development recently issued Mortgagee Letter ("ML") 2025-09 to revise the residency requirements for eligibility for Federal Housing Administration-insured mortgages. In an effort to ensure that the FHA's mortgage insurance programs are administered in accordance with the Trump administration's priority that federal resources be used to benefit U.S. citizens, the ML removes eligibility for FHA-insured mortgages for non-permanent residents. The ML also updates the residency requirements for borrowers with permanent resident status. The provisions of the ML apply to all FHA Title II Single Family forward and Home Equity Conversion Mortgage programs.

The ML states that, "[c]urrently, non-permanent residents are subject to immigration laws that can affect their ability to remain legally in the country. This uncertainty poses a challenge for FHA as the ability to fulfill long-term financial obligations depends on stable residency and employment. Under 24 C.F.R. § 203.33, HUD requires Mortgagees to evaluate a Borrower's ability to sustain long-term financial commitments, and no statute or regulations address noncitizen eligibility for FHA-insured loans. In the past, FHA's residency requirements have required Mortgagees to document the Borrower's lawful residency status demonstrating long-term financial stability and eligibility for federal programs. FHA does not retain citizenship or residency data from the loan application and therefore does not maintain information on the number of non-permanent residents who have received FHA-insured loans under past policies."

The new residency requirements may be implemented immediately but must be implemented for FHA case numbers assigned on or after May 25, 2025.

Amicus Brief(ly): It is not clear whether the motivation for this ML is to adhere to the new administration's immigration policies or to protect the federal mortgage insurance program in light of the updated immigration policies. The Background section of the ML suggests that it is both, citing the uncertainty that a borrower who is not a permanent U.S. resident will be able to satisfy long-term financial commitments like a mortgage loan. It is also not clear how many insured loans HUD-approved lenders were making to U.S.-based consumers who were not yet U.S. citizens or permanent residents. Either way, HUD-approved lenders that do not already have procedures and policies around this issue will have to create new procedures to review and confirm applicants' residency status during underwriting to ensure compliance with this ML.

Idaho Prohibits Financial Institutions from Using Social Credit Score in Provision of Financial Services

Idaho recently enacted Senate Bill 1027, which adds a new Chapter 38 to the Idaho Code - the Transparency in Financial Services Act. The Act prohibits certain financial institutions, such as large banks, payment processors and networks, payment service providers, and credit card companies and networks, from discriminating in the provision of financial services by using a social credit score to refuse to provide, restrict, or terminate service to a customer.

"Social credit score" is defined as any analysis, rating, scoring, list, or tabulation that evaluates a person's: (1) exercise of religion; (2) speech, expression, or association; (3) failure or refusal to adopt any targets or disclosures related to greenhouse gas emissions beyond what is required by applicable law; (4) failure or refusal to conduct any type of racial, diversity, or gender audit or disclosure or to provide any sort of quota, preference, or benefit based on race, diversity, or gender beyond what is required by applicable law; (5) failure or refusal to facilitate or assist employees in obtaining abortions or gender reassignment services; or (6) participation in certain lawful business associations or business activities, such as the exploration, production, utilization, transportation, sale, or manufacture of fossil fuel-based energy or the manufacture, distribution, wholesale, supply, or retail of knives, firearms, firearm accessories, or ammunition. "Social credit score" does not include a financial institution evaluating quantifiable financial risks of a person based on impartial risk-based standards if the standards are established in advance by the financial institution and publicly disclosed to customers.

If a financial institution refuses to provide, restricts, or terminates service to a customer, the customer may request a statement of specific reasons for the refusal, restriction, or termination. The financial institution's statement of specific reasons must include: (1) a detailed explanation of the basis for the denial or termination of service, including a description of any of the customer's speech, religious exercise, business activity with a particular industry, or other conduct that was, in whole or in part, the basis of the financial institution's denial or termination of service; (2) a copy of the terms of service agreed to by the customer and the financial institution; and (3) a citation to the specific provisions of the terms of service upon which the financial institution relied to refuse to provide, restrict, or terminate service. The Act does not prohibit a financial institution from declining to provide, restricting, or terminating financial services to a person when there is evidence that the person is engaged in actual or suspected fraud, criminal conduct, or incitement to unlawful actions or if the person threatens violence or commits violence against a bank, its affiliates, its employees, or other persons or creates obscenity or another form of expression that is not protected by the U.S. Constitution.

The new law is effective on July 1, 2025.

Amicus Brief(ly): This law is the outcome of a few years' worth of concerns raised by businesses whose financial institutions have cut them loose largely based on reputational concerns. Proponents of the bill see it as a form of anti-discrimination law, but sort of the reverse of the traditional DEI efforts financial institutions are used to seeing. And opponents of the bill raised concerns about its impact on social accountability programs that have fallen from favor since the election. There is a private right of action in the bill and room for state enforcement, so the bill has teeth. The tension between the proponents and opponents of the bill reflects some of the national political debate, and it is happening in other states, too, as they consider similar bills.

Utah Enacts Law to Regulate Use of Generative AI in Consumer Transactions

On March 27, Utah enacted Senate Bill 226, which regulates the use of generative artificial intelligence. The new law will take effect on May 7, 2025. The new law defines the term "generative artificial intelligence" to mean an artificial intelligence technology system that: (1) is trained on data; (2) is designed to simulate human conversation with a consumer through text, audio, visual communication, or a combination of those three things; and (3) generates non-scripted outputs similar to outputs created by a human, with limited or no human oversight.

Under the new law, it is not a defense to the violation of any statute administered by the Utah Department of Commerce, Division of Consumer Protection, that generative AI made the violative statement, undertook the violative act, or was used in furtherance of the violation. In other words, whoever deploys a generative AI is responsible for anything that the AI does that violates one of those statutes. The relevant statutes include the Utah Consumer Sales Practices Act, Credit Services Organizations Act, Telephone and Facsimile Solicitation Act, Uniform Debt-Management Services Act, Utah Consumer Privacy Act, Utah Commercial Email Act, and numerous others.

The new law also imposes disclosure requirements for generative AI. Under the law, a supplier who uses generative AI to interact with a consumer must disclose the fact that the consumer is interacting with AI rather than a human if the consumer asks clearly and unambiguously whether the interaction is with a human or AI. The term "supplier" means a seller, lessor, assignor, offeror, broker, or other person who regularly solicits, engages in, or enforces consumer transactions.

Stricter disclosure requirements apply to an individual providing services in a regulated occupation who uses generative AI in a high-risk artificial intelligence interaction. In such a case, the individual must prominently disclose that the consumer is interacting with generative AI. The individual must comply with the requirements of the regulated occupation when the individual provides services through AI, whether or not the interaction is high-risk. The law defines the term "regulated occupation" to mean an occupation regulated by the Department of Commerce that the state requires a license to practice or for which the state offers certifications. The law defines the term "high-risk artificial intelligence interaction" to mean the collection of sensitive personal information, such as health, financial, or biometric data, the provision of personalized advice, such as financial, legal, medical, or mental health advice, or anything else that the Division deems high-risk by rule.

The new law provides a safe harbor for a person whose generative AI discloses clearly and conspicuously at the start of any interaction and throughout the interaction that it is a generative AI. The law gives the Division, in consultation with the Office of Artificial Intelligence Policy, the authority to make rules concerning what types of disclosure meet or do not meet the disclosure requirement for the safe harbor.

Penalties for violating the new law are significant, including the potential for actual damages or statutory damages of $2,000 per violation, whichever is more. Additionally, each violation of the new law is subject to an administrative fine of up to $2,500. The Division may also sue to enforce the new law, in which case a court may impose a fine of up to $2,500 per violation.

Amicus Brief(ly): With the proliferation of AI technology in recent years, the states have started to react by passing laws like this Utah AI law. The new Utah law is consistent with several others, including a couple that have passed in states during this year's legislative session, in that it imposes a disclosure requirement designed to alert consumers that the voice on the other end of the line is AI. Companies using AI to contact customers for customer service and collections, as well as those using AI for marketing calls, should be tracking these kinds of developments to ensure compliance with the new requirements.

On July 1, Oklahoma Will Become First State to Require Electronic Titles

On March 31, Service Oklahoma, a website dedicated to providing driver and motor vehicle services on behalf of the state, in addition to other state services, issued a bulletin notifying dealers of updates to the state's electronic lien and title system.

On July 1, 2025, Oklahoma will become the first state to require electronic titles. All titles will be issued electronically, with limited exceptions for those moving to another state. Existing paper titles will remain valid, but when the next transaction occurs (such as a sale, transfer, or lien placement), the title will be converted to an electronic record.

The bulletin notes that certain other changes will take effect on April 7, 2025, including:

  • Dealers will be able to add electronic liens for any lienholder using their OkCARS accounts. The option to complete the process in person will still be available.
  • Once an electronic title is issued, vehicle ownership will be transferred using an Electronic Title Bill of Sale rather than the title itself. The Electronic Title Bill of Sale will be available on the Service Oklahoma website to print, fill out, and notarize.
  • Dealers will be able to electronically transfer vehicle titles to their names through OkCARS without disrupting pre-registration. According to the bulletin, the feature is useful when a dealer takes a trade-in vehicle that does not come with a title on hand (or if the title has no space). When the dealer sells the car and completes pre-registration, the dealer can use OkCARS to put the vehicle's title in the dealer's name before signing it over to the customer, without canceling the pre-registration account. A licensed operator will then receive a case through OneLink to complete the dealer's request. While dealers will be able to complete this process entirely online, they may still go to a licensed operator if they prefer an in-person experience.
  • Customers will be able to see confirmations of their electronic or paper titles after logging into OkCARS.

The bulletin includes frequently asked questions and other resources concerning electronic liens and titles.

Amicus Brief(ly): This is a big step, though we were a little surprised to read that Oklahoma is the very first state to require electronic titles. Most states have had optional vehicle titling procedures in place for some time. We know from those states that use of electronic titling makes for an efficient and in some cases more secure marketplace. As consumers do more and more personal business on their smart phones, this feels like a natural progression. The mortgage loan marketplace has been successful using the Mortgage Electronic Registration System, though its widespread use and the corresponding increase in documentation available digitally has not yet turned into an all-in requirement anywhere. Dealers in Oklahoma will have some procedural adjustments to make over the next few months to adjust to the new all-electronic world, as will finance companies that work with them. But we expect this bill to yield net-positive results for consumers and dealers alike.

Kentucky Sets Forth Requirements for Licensee Use of Deferred Deposit Database

On April 1, the Kentucky Department of Financial Institutions, Division of Non-Depository Institutions, published a final rule in the Kentucky Administrative Register that establishes requirements for a licensee's use of the Deferred Deposit Database, which was established pursuant to Kentucky Revised Statutes 286.9-140.

KRS 286.9-100(9) prohibits licensees from having more than two deferred deposit transactions from any one customer at any one time and limits the total proceeds received by a customer from all deferred deposit transactions to $500. KRS 286.9-140(1) requires the commissioner of the DFI to implement the database for licensees to verify whether any deferred deposit transactions are outstanding for a customer.

Pursuant to the final rule:

  • A licensee must institute procedures and maintain an accounting system designed to: (1) prevent the licensee from entering into transactions with a customer in violation of KRS 286.9-100(9); and (2) generate reports that will readily permit examination and verification of compliance.
  • For each deferred deposit transaction, a licensee must submit: (1) the customer's date of birth; (2) the check number of the payment instrument, if applicable; (3) the database verification fee; (4) the service fee charged to the customer; and (5) the date the payment instrument was deposited or otherwise presented for payment.
  • A licensee must indicate in the database whether the customer entered into the deferred deposit transaction in person, electronically, or by telephone.
  • A licensee may not cause a closed deferred deposit transaction, as defined, to be reopened in the database unless certain specified conditions are satisfied.
  • A licensee may not accept, collect, or seek payment on a deferred deposit transaction that is designated as closed in the database.
  • A licensee that has reported to the database provider that a deferred deposit transaction is open beyond the maturity date pursuant to KRS 286.9-140(7) must immediately notify the database provider when the transaction becomes closed.
  • A new licensee or an existing licensee applying for an additional location must establish an account with the database provider for each location prior to the time of application.

The final rule was effective March 12, 2025.

Amicus Brief(ly): Specialty finance providers in Kentucky will have to do some work to comply with this brief but impactful rule. There is precedent for the substantive limitation on multiple transactions in other states' small-dollar financial services consumer protection laws, following years of consumer advocates' expressed concerns about rollover frequency for small-dollar credit. The dollar amount limitation ($500) is not always part of the statutory limitations on offering these products to consumers, though. The transaction database will require some new procedures to ensure compliance with those limitations and will give providers (and the Kentucky regulator) a compliance check for customer transactions.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.