Last Week, This Morning

May 18, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

DOJ Resolves Investigation into PayPal's Investment Program for Minority-Owned Small Businesses

On May 12, the U.S. Department of Justice reached a settlement agreement with PayPal to resolve its investigation into the company's Economic Opportunity Fund ("EOF") program, which was launched in 2020 to support investment in minority-owned small businesses. The DOJ contended that the EOF program was discriminatory to the extent that it gave a preference to businesses based on race, color, and national origin.

Under the settlement, PayPal agrees to launch a Small Business Initiative that "will infuse American small businesses with economic opportunity and expand access to capital to these businesses, regardless of the race or national origin of the business owners." As part of the initiative, PayPal agrees to "waive processing fees for $1 billion of transactions offered to eligible American small businesses: (1) engaged in farming, manufacturing, or technology (including AI); or (2) engaged in other industries if the small business is certified by the [Small Business Administration's] Veteran Small Business Certification Program." The $1 billion waiver of processing fees represents a value of approximately $30 million over the course of the initiative. In addition to the fee waivers, the settlement requires PayPal to designate a director of the initiative, conduct an assessment of the needs of small businesses and "suggest practical, scalable ways to support these businesses given the products and services offered by PayPal," submit plans for the proposed structure of the initiative to the DOJ, and provide training on the Equal Credit Opportunity Act to employees involved in the initiative.

The settlement states that the DOJ has not made any determinations or findings that the EOF program violated the ECOA or any other federal law. PayPal also expressly denies any liability related to the EOF program.

Amicus Brief(ly): PayPal's settlement with the DOJ conspicuously avoids any payment of a fine to the government, which is consistent with the finding that it did not violate the ECOA or any other federal law. PayPal's new Small Business Initiative appears to comport with the DOJ's expectations by not focusing on minority-owned businesses. While the prior program did have a minority-owned business focus, there are no allegations in the settlement to indicate that PayPal would deliberately deprive non-minority small businesses of the chance to obtain capital from or otherwise work with PayPal in a development capacity. But the weight of the government is heavy, and this administration is focused on the eradication of equality initiatives in the private and public sectors that appear to be discriminatory. Companies will have to evaluate their options as PayPal did here, revising its economic development program to remove any reference to businesses whose owners fit within specific demographic descriptions.

FDIC Approves Deposit Insurance Application for Stellantis Bank

On May 13, the Board of Directors of the Federal Deposit Insurance Corporation approved a deposit insurance application to establish Stellantis Bank USA, which will be a Utah-chartered industrial bank. Stellantis Bank USA's proposed business model will focus on providing automotive financing products, primarily through the purchase of retail installment sale contracts from independent Stellantis dealers. Stellantis owns 14 prominent auto brands, including Chrysler, Dodge, Jeep, and Ram.

According to the FDIC's news release, applications for deposit insurance are evaluated under a statutory framework of seven factors that include: the financial history and condition of the institution; the adequacy of the institution's capital structure; the future earnings prospects of the institution; the general character and fitness of the management of the institution; the risk presented by the institution to the Deposit Insurance Fund; the convenience and needs of the community to be served by the institution; and whether the institution's corporate powers are consistent with the purposes of the Federal Deposit Insurance Act. FDIC staff found that Stellantis Bank USA satisfied the statutory factors for approval, subject to certain conditions and written agreements.

Amicus Brief(ly): Congratulations to Stellantis on its approval to open an FDIC-insured industrial loan company, keeping step with Ford and GM, which were also approved for ILC ownership. The well-funded ILC, with $150 million in start-up capital, will focus on the vehicle finance business, including floorplan loans to vehicle dealers and consumer loans for charging stations. The ILC will raise additional operating capital through a nationwide deposit-taking business. Opponents of this approval, like the Independent Community Bankers of America, do not like the idea of having a captive bank with a singular business focus that is subject to similarly concentrated market risks peculiar to the vehicle sales and financing market. The ICBA claimed that the ILC will benefit from FDIC insurance but not be subject to the rigors of ordinary bank oversight because its non-bank holding company will not be subject to oversight by the Federal Reserve Board. But the FDIC liked Stellantis' plan and approved it, so look out for the opening of Stellantis Bank USA within 12 months.

Connecticut Restricts Health and Veterinary Care Providers' Advertising and Marketing of Third-Party Financing

Connecticut Governor Ned Lamont recently signed House Bill 5127, which becomes effective on January 1, 2027. The new law limits health care and veterinary care providers from advertising and marketing third-party financing to consumers. The law does not apply to financing if the provider is the creditor.

The law prohibits health care and veterinary care providers from including their branding or their practices' branding on any signage used to advertise, market, solicit, promote, or offer third-party financing to consumers. The law also prohibits providing consumers with access to software, or with the address of a website or a hyperlink or QR code to a website, that: (1) is maintained by or on behalf of a third party for the purpose of offering or extending third-party financing; and (2) includes the provider's branding or the branding of the provider's practice.

Health care and veterinary care providers are also prohibited from marketing third-party financing while consumers are under anesthesia or sedation, while consumers are receiving treatment, or, except under certain limited exceptions, while consumers are in any area of a facility used to provide health or veterinary services (including any examination room or operating room).

The law precludes health care and veterinary care providers from receiving any financing incentive or compensation in exchange for advertising, marketing, promoting, or offering third-party financing to consumers. Providers are also expressly prohibited from completing an application for third-party financing, or any portion thereof, for a consumer and from submitting an application for third-party financing on behalf of a consumer. In addition, providers may not charge a third-party financing account for the cost of a service before the date on which that service is provided.

The law requires health care and veterinary care providers who engage in any discussion with a consumer concerning the terms and conditions of third-party financing to provide a specific form of written disclosure to the consumer (as set forth in the statute) in the primary language in which the provider communicates with the consumer. The disclosure is not required if the provider merely states that the provider accepts third-party financing as a form of payment but does not discuss the terms and conditions of the third-party financing.

The law also restricts the sale of ancillary products. An "ancillary product" is defined as "any product, other than a health care service or veterinary service, that is sold by a health care provider or veterinary care provider to a consumer who purchases a health care service or veterinary service from such provider," but does not include any food product intended for animal consumption. Providers may not charge ancillary products to third-party financing accounts unless the consumer: (1) receives a receipt that identifies the product and the cost of the product; or (2) separately consents in writing to purchase the product.

Violations of the law constitute an unfair or deceptive trade practice.

Amicus Brief(ly): This new Connecticut law seeks to protect vulnerable consumers and their families from "predatory" lending practices by third-party medical finance providers for both humans and pets. The issues raised by consumer advocates in favor of the bill focused on sales tactics (potential borrowers may not be in a position to understand what they're agreeing to when they are subject to the effects of sedation or otherwise medicated), high interest rates (these are typically unsecured credit plans and can be risky for providers), and deferred interest (we are not sure what the concern is when the consumer has a chance to pay for services without interest up to a certain time). There were also concerns about conflicts of interest that may arise when medical providers receive some benefit from referring consumers to third-party financing. Hopefully the consumer protection angle of this law will not cost Connecticut patients access to important care because of affordability issues.
California Obtains $12.75 Million Settlement with Car Manufacturing Company over Privacy Practices Concerning Connected Vehicles

On May 8, California Attorney General Rob Bonta, together with the California Privacy Protection Agency and several California district attorneys, announced a $12.75 million settlement with a major car manufacturing company to resolve allegations that it sold the location and driving data of Californians to data brokers without the consumers' knowledge or consent and misled consumers about its data collection practices, in violation of the California Consumer Privacy Act and California's Unfair Competition Law. The case represents the eighth enforcement action under the CCPA and the first data minimization case.

According to the CPPA's news release, the complaint alleged that, from 2020 to 2024, the car manufacturer sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of consumers to two data brokers without the consumers' knowledge or consent. The consumers' data was collected by the manufacturer through the consumers' use of OnStar, a subscription-based, in-vehicle service that offers emergency support, automatic crash response, stolen vehicle tracking, and remote vehicle diagnostics via cell and GPS technology. The complaint alleged that the data brokers bought the data intending to use it to develop a driver-rating product that could be marketed to auto insurers for use in setting rates. California's insurance laws prohibit insurers from using driving data to set insurance rates. As such, California consumers had not been subject to increased premiums because of the manufacturer's data sales, unlike drivers in other states. However, the complaint alleged that the manufacturer failed to give California consumers any notice regarding the sale of their data to the data brokers and misled consumers by implying that their data would only be used to provide OnStar subscribers with requested services. In addition, the manufacturer's privacy policy allegedly stated that it did not sell any location or driving data and, if it did for insurance purposes, it would be at the consumer's express direction.

The complaint also alleged that the manufacturer retained location and driving data long after the data was used for OnStar purposes and then sold this retained data to the data brokers in violation of the CCPA's purpose limitation and data minimization requirements, which require organizations to collect, use, and retain only the minimum personal data necessary to achieve a specific, stated purpose and to delete that personal data once the purpose is fulfilled.

In addition to the civil penalty, the settlement requires the manufacturer to:

  • stop selling driving data to any consumer reporting agencies, including data brokers like the defendants in this case, for five years;
  • delete any driving data within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers;
  • request the data brokers to delete driving data;
  • develop a privacy program to assess, mitigate, and document the risks of collecting data through OnStar; and
  • report its privacy assessments to the California Department of Justice, the state district attorneys, and the CPPA.
Amicus Brief(ly): If it feels like you have heard this one before, it's because you have. These data use and consent issues have come up regularly over the past few years in several contexts but consistently with respect to car manufacturers. These issues represent concerns that trouble both Republicans and Democrats. The Texas, Arkansas, and Nebraska attorneys general also have cases pending against GM and OnStar based on similar data and consent allegations raised in this California settlement. We seem to be migrating to an environment where consumers are empowered to better control whether and how companies can use and share their data. With these state enforcement actions front-and-center lately, more legislation on these issues is sure to follow.
Colorado Governor Signs Automated Decision-Making Technology Bill to Replace AI Act

On May 14, Colorado Governor Jared Polis signed the Automated Decision-Making Technology ("ADMT") Act, effectively repealing and replacing the state's landmark 2024 AI Act just weeks before it was slated for implementation. This strategic pivot moves the state away from the rigid "high-risk" classifications, duty of care, and "bias mitigation" audit requirements of the previous framework, favoring a disclosure-centric model instead. The law's enforcement and operational compliance requirements are set to take effect on January 1, 2027.

Like its predecessor, the ADMT Act governs technology used in "consequential decisions," a broad category encompassing decisions in education, employment, financial services, healthcare, and housing. However, the legislature removed the 50-employee threshold found in the AI Act, meaning all developers and deployers operating within these sectors in Colorado are now subject to the law's requirements. While the law excludes standard procedural tools like calculators and anti-fraud software, any technology that "materially influences" the outcome of a consequential decision falls within the "covered ADMT" definition.

For "deployers" (the entities using the technology), the ADMT Act imposes a two-tiered disclosure system. First, they must provide a clear and conspicuous notice at the point of consumer interaction revealing that ADMT is in use. Second, within 30 days of an adverse outcome, deployers must provide a plain language description of how the technology contributed to that result. The law also establishes a new statutory right for consumers to request "meaningful human review" and reconsideration of any automated decision. The ADMT Act includes a safe harbor for creditors whose adverse action notices already comply with the Fair Credit Reporting Act and the Equal Credit Opportunity Act if the federally-required notice "also satisfies the notice or disclosure requirements" of the ADMT Act.

"Developers" (the entities creating the technology) are required to provide deployers with comprehensive technical documentation, including the ADMT's intended use, known limitations, and the categories of data used for training.

The law does not include a private right of action and will be enforced by the Colorado attorney general. The attorney general is now tasked with finalizing clarifying rules before the 2027 compliance deadline.

Amicus Brief(ly): These are big changes to the country's first major state AI legislation, with a little more than six months to prepare for its effective date. The law's scope got broader and clearer but still focuses on the use of AI in connection with "consequential decisions" across markets, including financial services. The law remains directed at the potential for AI to result in discrimination. Other states have not gone as far as Colorado in developing comprehensive AI laws, but state legislatures have actively considered such laws this year. The right of a consumer under this updated law to request reconsideration of an automated decision, and specifically to request human review of an AI decision, is likely to help Colorado consumers feel more comfortable with the expanded use of AI.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.