Last Week, This Morning

November 10, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Arizona DIFI Encourages Financial Institutions to Provide Assistance to Individuals and Businesses Impacted by Federal Government Shutdown

On October 30, the Arizona Department of Insurance and Financial Institutions issued a bulletin encouraging financial institutions and financial enterprises operating in Arizona to assist all individuals and businesses that may be experiencing temporary financial hardship due to the federal government shutdown. (The bulletin defines "financial enterprises" as "any person under the jurisdiction of the Department other than a financial institution.") The DIFI urges financial institutions and financial enterprises to undertake, for at least 60 days, the following measures:

  • provide a grace period for payments for outstanding financial obligations;
  • postpone default and collection activities;
  • refrain from assessing late fees, penalties, or cancellations related to late payments;
  • offer temporary alternative repayment arrangements, including forbearance and loan deferment; and
  • communicate and inform consumers about available options and accommodations during the shutdown.
Amicus Brief(ly): Federal and state regulators are pretty good about suggesting that creditors take an accommodating approach to account servicing when circumstances exist that are outside consumers' control and affect numerous consumers. In fact, a few years ago, Nevada wrote a protection into its vehicle finance law that prohibits a repossession without a court order during a government shutdown (and for 30 days after the shutdown ends) if the consumer is a federal worker, tribal worker, state worker, or household member of such a worker and requires a notice to that effect in a post-repossession notice of intent to sell. We are used to seeing this sort of bulletin or announcement in the aftermath of impactful natural disasters like hurricanes or floods, but Nevada took the unusual step of writing that protection into its laws. The encouragement from regulators is often not necessary for servicers that understand how consumers struggle financially when they have to divert income to repairs or other post-disaster recovery efforts or when (as in this case) the government cuts off their earned income in a battle over the budget. But good for Arizona's DIFI to take this step to bring awareness to the issue.
New Jersey Settles Claims Alleging Real Estate Companies' "Homeowner Benefit Agreements" Were Deceptive and Unconscionable

On October 31, the New Jersey Division of Consumer Affairs and the New Jersey Attorney General's Office announced that they obtained a consent judgment with two Florida-based real estate brokerage companies and their principals for violating the state's Consumer Fraud Act, as well as regulations governing general advertising and telemarketing, by allegedly using deceptive and unconscionable practices in connection with "Homeowner Benefit Agreements" ("HBAs") that the defendants entered into with New Jersey homeowners.

Specifically, the complaint alleged that the defendants routinely made unsolicited telemarketing calls to New Jersey homeowners who were financially impacted by the COVID-19 pandemic, offering them quick cash through their "Homeowner Benefit Program." Under this program, the defendants paid homeowners between $300 to $5,000 (referred to as a "promotion fee") in exchange for the homeowners' agreement to use the defendants as their real estate agents if the homeowners decided to sell their homes in the future. The defendants allegedly represented that their product was "not a loan" and that the homeowners had "no obligation" to repay the promotion fee or sell their homes in the future.

However, the complaint alleged that the defendants failed to disclose the true nature of the program or its terms. Among other things, the defendants allegedly did not disclose to homeowners that the program operated as a high-interest mortgage loan, a lien would be placed against their homes, there was a 40-year contract term, or the HBA was binding on the homeowners' heirs. The defendants also allegedly failed to disclose to homeowners that they would pay an early termination fee of at least 3% of their property's value - a penalty of at least 10 times the "promotion fee" the consumers received - if they listed their property for sale with another real estate agent, their home was foreclosed upon, the title of their home was transferred to a family member, their heirs tried to sell the home, or the homeowner wished to cancel the HBA.

Under the consent judgment, the defendants agreed to stop entering into HBAs with New Jersey consumers, cease enforcing existing HBAs in the state, including recovering or attempting to recover any early termination fee or other payment for any alleged breach of an HBA, and file terminations of the defendants' liens on homeowners' properties. The defendants were also assessed a $1.5 million civil penalty and required to pay $1,344,122 in restitution to reimburse homeowners who paid early termination fees.

Amicus Brief(ly): The allegations in this consent judgment tell the story of yet another unforced error by a company that advertised a product that was actually too good to be true. How the brokers were able to get consumers to sign up for this HBA package without noticing the information about the lien, interest, and other onerous obligations and limitations is beyond us. But it was an expensive unforced error, costing the company almost $3 million and any future revenue it would have taken in based on the product's terms. Compliance professionals charged with producing or reviewing marketing copy should consult state and federal laws prohibiting unfair and deceptive trade practices and imposing requirements on advertisements, and they will notice a theme - you cannot hide important details of a credit program, or an expensive resolution like this one in New Jersey may be on the horizon.
New Jersey Law Allowing Borrowers to Make Biweekly or Semi-Monthly Mortgage Payments Is Now Effective

On November 1, New Jersey Senate Bill 3525 became effective, applicable to mortgage agreements entered into on or after that date. We reported on S.B. 3525 when it was signed in May. The law requires financial institutions to allow mortgagors to make biweekly mortgage payments (defined as every two weeks), in which any amount paid in excess of the total annual contractual mortgage payments due must be applied to the mortgage loan principal, and make semi-monthly mortgage payments (defined as occurring twice each month) in the amount of half of the total monthly contractual mortgage payment due. The law also requires financial institutions to allow mortgagors to pay additional amounts toward the mortgage loan principal without the imposition of a penalty.

In addition, the law provides that if, at the time an escrow analysis is performed, the analysis projects an escrow shortage or otherwise results in an increase in escrow amount payments, the financial institution must notify the mortgagor of any change in payments and apply any excess payments by the mortgagor first to unsatisfied escrow payments and then to the mortgage loan principal, without the imposition of a penalty. The mortgagor may elect to submit a payment to the financial institution to reduce or eliminate any projected escrow shortage.

Amicus Brief(ly): It has been six months since this bill passed, so mortgage loan servicers should have made their adjustments to statements and systems in anticipation of the November 1 effective date. The Department of Banking and Insurance issued a bulletin just before the effective date to remind financial institutions of their obligation to make the flexible payments available to borrowers. The bulletin operates simply as a reminder, and, near the end of the bulletin, the DBI suggests that servicers "update disclosures, loan documents and servicing guides to reflect new payment options; train customer service staff to provide information to borrowers regarding available mortgage payment options and how extra payments are applied; and provide clear notices if escrow adjustments change a borrower's monthly payment." While S.B. 3525 does not impose specific notice requirements, information about these payment options is important, and the regulator appears to confirm what we thought - one way or another, lenders and servicers need to make applicants and borrowers aware of these payment options.

Oklahoma Permits Imposition of Surcharge for Use of Credit Card by Customers in Consumer Lease and Credit Sale Transactions

On November 1, Oklahoma Senate Bill 677, which was signed into law in May, became effective. S.B. 677 amends Oklahoma's Uniform Consumer Credit Code to provide that, with respect to all sales, service, and lease transactions including, but not limited to, any consumer credit sales transaction, any discount offered for the purpose of inducing payment by cash, check, or debit card, rather than by credit card, does not constitute a credit service charge as determined under Section 2-109 of the UCCC if the discount is offered to all prospective customers clearly and conspicuously. S.B. 677 also provides that there is no limit on the discount that may be offered.

In addition, S.B. 677 permits a "seller" (defined as any person, entity, or retailer doing business in Oklahoma in any sales, service, or lease transaction including, but not limited to, any consumer credit sales transaction) to impose a surcharge on a customer who elects to pay using a credit card instead of paying by cash, check, or debit card if the seller complies with the following requirements:

  • Notice displaying the amount of the surcharge must be clearly and conspicuously posted at the point of entry and the point of sale for in-person transactions and on the home page and the point-of-sale webpage for online transactions. Notice, including all required information, must be verbally disclosed to the customer for transactions processed over the phone; and
  • No surcharge may exceed two percent of the total transaction or the actual amount to be charged to the seller to process the credit card transaction, whichever is less. A customer will not be considered to have chosen to use a credit card as a method of payment if, at the time of the transaction, the seller accepts only credit cards as payment.

Prior law prohibited the imposition of a surcharge for the use of a credit card or debit card by the customer.

Amicus Brief(ly): With the price of everything going up, Oklahoma gives creditors a boost with this new law by specifically allowing creditors to pass the cost of debit and credit card payment processing through to consumers. Those charges add up, and the states with versions of the (not-so-uniform) Uniform Consumer Credit Code typically either prohibit charges not specifically authorized by statute or rule or require a creditor to take those charges into account for purposes of the state's maximum rate provisions. Oklahoma was not in either category before this edit because it explicitly prohibited card payment surcharges for open-end credit. The update will allow servicers taking payments by phone or online to recover the cost of processing card payments from consumers, which will help keep servicing costs down.

FTC Identity Theft Portal Unavailable Due to Government Shutdown - Alternative Steps for Consumers

Due to the ongoing government shutdown, the Federal Trade Commission's identity theft complaint intake portals, including IdentityTheft.gov, are currently offline. As a result, consumers who have experienced identity theft and wish to obtain an FTC Identity Theft Report to exercise their rights under the Fair Credit Reporting Act are unable to do so at this time.

Recommended alternative steps for consumers are:

  • File a Police Report. Consumers are advised to contact their local police department to file a report regarding the identity theft. A police report can serve as an "identity theft report" under the FCRA and may be used to request a fraud alert, block fraudulent information, or dispute unauthorized accounts with credit reporting agencies.
  • Report Cyber-Enabled Crimes to the FBI. If the identity theft occurred as a result of a cyber-enabled crime (such as phishing, hacking, or online scams), consumers may file a report with the Federal Bureau of Investigation's Internet Crime Complaint Center ("IC3") at https://www.ic3.gov/. The IC3 site remains operational and can provide documentation of the complaint.
Amicus Brief(ly): It remains unclear (as of last night) when this current record-setting government shutdown will end, but we don't anticipate that the identity thieves will take a time-out and wait for the FTC's site to come back up. Kudos and thanks to Hudson Cook's Meg Nicholls for not only spotting the inactive FTC site but providing alternatives for victims of identity theft so they do not have to wait for the government to reopen to report identity theft.

Three States Settle Claims Against Educational Technology Company

On November 6, the attorneys general for California, Connecticut, and New York announced settlements of their claims against Illuminate Education, Inc., for failing to protect students' data. Illuminate provides software to schools and school districts across the country to track students' attendance and grades and to monitor students' academic, behavioral, and mental health development. In 2021, hackers were able to access one of Illuminate's online accounts using the credentials of a former employee who had left the company years earlier. The data breach exposed the sensitive personal and medical information of millions of students. Investigations by the three states found that Illuminate had failed to implement basic security measures to protect students' data, including failing to monitor for suspicious activity on its platforms. As a result of the three separate settlements, Illuminate will pay a total of $5.1 million - $3.25 million to California, $150,000 to Connecticut, and $1.7 million to New York - and will take steps to enhance and strengthen its cybersecurity practices.

Amicus Brief(ly): Add this development to the list of goings-on this year related to consumer data protection and control. Note the mystifying cause of the hack - the company did not terminate, change, or update the credentials of an employee who left years prior to the data breach. We implore all compliance professionals who are not certain that their IT teams have a protocol for employee termination (voluntary or otherwise) that includes an action related to that employee's login credentials to check on that and, if necessary, update the protocol. The regulatory focus on data protection and control is not ebbing. We expect more of this in 2026.
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.