Last Week, This Morning

July 6, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

FTC Settles Claims Against Amazon for Alleged FCRA Violations

On June 30, the Federal Trade Commission announced that it reached a $2.25 million settlement with Amazon.com, Inc., resolving allegations that Amazon violated Section 609(e) of the Fair Credit Reporting Act, which requires business entities to provide an identity theft victim with "application and business transaction records" evidencing any transaction that the victim alleges to be the result of identity theft. The business entity must provide such records no later than 30 days after the date of receipt of a written request from the identity theft victim. The business must deliver the records to the victim or, if specified or authorized by the victim, a law enforcement agency. Prior to providing the records, a business entity can require that the victim furnish proof of his or her identity and proof of the claim of identity theft through a police report and a completed affidavit.

The FTC alleged that Amazon failed to provide identity theft victims (as well as authorized law enforcement agencies acting on their behalf) the application and business transaction records related to unauthorized transactions made in the victims' names upon their request and, in some instances, failed to provide the records to identity theft victims within the 30-day timeframe. According to the complaint, "[w]hen identity theft victims whose credit or debit card information had been used without authorization contacted Amazon to request records associated with these transactions, the victims would often enter a Kafkaesque sequence in which the Amazon agent would refuse to provide the identity theft victim with records related to the fraudulent account unless the identity theft victim was able to authenticate the identity of the person who had opened the fraudulent Amazon account. That typically meant asking the identity theft victim to provide the name of the person who established the fraudulent Amazon account that had used the victim's credit card without authorization. But this was often information that could only be found in the business records the identity theft victim had requested from Amazon in the first place."

In addition, the FTC alleged that, in some instances, Amazon refused to provide the requested records at all, citing "security" or "privacy" reasons, even though Section 609(e) does not permit a business entity to deny a request for application and business records related to identity theft on those grounds. In other instances, the FTC alleged that Amazon denied consumers' requests for records on the grounds that the consumer had not been the victim of identity theft, despite the consumer having informed Amazon that his or her financial information had been used without authorization and despite the consumer having submitted the materials specified in Section 609(e) substantiating the identity theft. The FTC also alleged that Amazon had no written policy to respond to Section 609(e) requests until early 2025, after it learned of the FTC's investigation, despite FTC staff advising the company to review its compliance with this provision.

Amicus Brief(ly): As states continue to adopt coerced debt laws that protect affected consumers the same way older identity theft rules do, it is important for businesses to be prepared for consumer claims of both identity theft and coerced debt. (Coerced debt laws function like identity theft laws both in their consumer protection angle and their procedural requirements for companies and affected consumers). The FTC's allegations suggest that Amazon did not have its identity theft claim processes ironed out or, if it did, that there was a failure along the way in training or supervision. Amazon denied all wrongdoing, but if the allegations approximate what happened, we get a sense that company representatives were at least arguably inconsistent in their application of identity theft procedures to the detriment of consumers. When a regulator identifies potential weaknesses like that, companies cannot reasonably expect a government investigation to conclude with a simple "no action" letter. To avoid outcomes like the expensive settlement in this case, companies would do well to keep their compliance management systems running on all cylinders, with training, auditing, and accountability functions all working to ensure adherence to strongly written compliance policies.

FTC Seeks Comment on Proposed Policy Statement Concerning Suppression of Accuracy in AI Systems

On July 1, the Federal Trade Commission announced that it is seeking public comment on its proposed policy statement addressing concerns that artificial intelligence companies may be altering or steering the output of their AI systems "to achieve undisclosed ideological objectives," contrary to consumers' expectations that AI systems give truthful and accurate outputs.

According to the proposed policy statement, "an AI company might be tempted to alter or steer the output of its systems contrary to consumers' reasonable expectations for various reasons, including attempted compliance with a state law, such as Colorado's recently revised Artificial Intelligence Act [which the FTC claims coerces AI companies into altering the output of their AI systems to comply with and advance the state's ideological objectives]." The FTC states that steering an AI system in this manner may deceive consumers in violation of Section 5 of the FTC Act, even if the steering is done in an effort to comply with state laws. According to the FTC, "a company may be able to avert potential deception by making truthful, non-misleading representations about the aims of its model. But such representations would need to make clear that the AI company is prioritizing objectives different than those consumers requested or would otherwise expect."

Comments on the FTC's proposed policy statement are due by July 31, 2026.

Amicus Brief(ly): So many of the regulatory developments we have seen the past couple years have focused on AI and data use and management. The FTC is looking for feedback from the public in an effort to confirm its suspicion that state laws are effectively causing AI providers to alter algorithms so that AI outputs come out a certain way. It will be interesting to review the comments the FTC receives, especially from members of the public who use AI expecting "truthful and accurate outputs." That perspective from the FTC is interesting in and of itself because most of the admonitions about AI from regulators, trade groups, and AI companies themselves recommend a "trust but verify" approach to its use. We'll see what comes of this FTC inquiry and how far beyond guidance to providers to avoid unfair, deceptive, or abusive acts and practices the federal government is willing to go.

U.S. Senators Probe Private Equity Firm's Relationship with Private Student Lender

On June 30, U.S. Senators Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Jeff Merkley (D-OR), and Mazie Hirono (D-HI) sent a letter to the chief executive officers at a private equity firm requesting information on the recent announcement of the firm's "multi-year strategic partnership" with private student loan lender Sallie Mae, in which the firm will provide a minimum of $2 billion in newly originated private education loans annually for an initial 3-year term. The senators' letter states that "[t]his relationship represents the concerning advancement of private equity interests in the student loan industry - a dynamic that has historically resulted in low transparency and harm to borrowers." The letter follows a February 2026 report prepared by the offices of several senators - "Costly Consequences: How the Trump Administration Unleashed Private Student Loan Lenders" - that revealed that "[h]alf of the private lenders surveyed either have sold student loans to private equity firms or plan to do so in the future."

The letter specifically seeks information about the private equity firm's current and future investments in the private student loan industry, whether the firm is contracting with any student loan servicers or debt collection companies and its oversight of those companies, and the firm's loan modification options for borrowers, among other things. The senators make claims in their letter that "[p]rivate lenders have a history of discriminatory and predatory practices, such as providing inaccurate billing statements, withdrawing excessive funds from borrowers' accounts, misrepresenting unemployment protections, and wrongfully denying discharges for bankruptcy or for Total and Permanent Disability. Thus far, [the private equity firm] has given no assurances that it will protect borrowers from abusive and illegal practices."

Amicus Brief(ly): We are struggling a little with the senators' apparent premise that private equity firms have no real concern about the compliance practices of businesses with which they work because that is the opposite of our experience. The legislators' approach in this inquiry takes unfortunate outcomes like underwriting and servicing errors that affect some consumers and lays the responsibility for those outcomes at the feet of the company that provides financing to the business where those errors occurred. That approach also imagines that the investors have no concern about negative consumer outcomes or the potential impacts of compliance mistakes on the investors' business partners and the investors themselves. These congressional requests for information typically announce government or political concerns, but they give companies an opportunity to respond and make their cases in writing. Those responsive efforts do not always work to avoid investigations and hearings that reiterate the legislators' suspicions, but responding in writing at least gives the company a chance to get its position on the record.

South Carolina Enacts Guarantee Banking Act

On June 30, South Carolina Governor Henry McMaster signed House Bill 5538, which enacts the Guarantee Banking Act. The Guarantee Banking Act provides that if a covered financial institution takes an adverse action against a person, that person may request a statement of specific reasons for the adverse action. If requested, the covered financial institution must provide the person with the adverse action statement and may not provide false or intentionally misleading information in that statement. "Adverse action" is defined as "a decision by a financial institution to decline to provide full and equal access in the provision of covered financial services and includes refusing to provide, terminating, or restricting covered financial services." "Adverse action" does not include "the temporary suspension or restriction of an account pending an internal investigation, fraud review, or verification of identity." "Covered financial services" includes depository accounts, money transmission, and credit, including but not limited to personal loans, mortgages, business loans, and credit cards. If a financial institution provides an adverse action statement to the individual pursuant to its obligations under the Equal Credit Opportunity Act and its implementing regulations or the Fair Credit Reporting Act and its implementing regulations, that statement satisfies the requirements of H.B. 5538.

In addition, a covered financial institution may not discriminate in the provision of covered financial services. "Discriminate in the provision of covered financial services" is defined as taking an adverse action against a person on the basis of one of the following criteria: (1) any person's exercise of religion that is protected by federal or state law; (2) any person's speech, expression, opinions, or association that is protected by federal or state law; (3) any factor if it is not a quantitative, impartial, and risk-based standard, including any such factor related to the person's business sector; (4) animus towards a person based on (1), (2), or (3); and (5) a desire to obtain a gain from or avoid a loss imposed on the covered financial institution by any person for the purpose of encouraging the covered financial institution to take an adverse action based on any of the factors in (1), (2), or (3).

Any violation of the Act is considered an unfair or deceptive act or practice.

Amicus Brief(ly): The good news for financial services companies already subject to the ECOA and the FCRA adverse action rules is that they do not have to do anything to address South Carolina's new adverse action law, given the express exemption. But the adverse action provision of this bill is not the rub - the law is really focused on alleged "de-banking" activity based on political, religious, or other expression, just like federal Executive Order 14331 titled "Guaranteeing Fair Banking for All Americans." H.B. 5538 started with a provision allowing for statutory damages of at least $10,000 per occurrence for willful violations, but that provision did not survive in the bill as passed. Only a couple other states have passed similar legislation to keep step with the federal government on the de-banking issue. With most state legislative sessions wrapped up for this year, it may be next year before we know whether other states will look to adopt similar legislation.

Illinois Amends Sales Finance Agency Act

On June 26, Illinois Governor JB Pritzker signed House Bill 5290, which amends the state's Sales Finance Agency Act ("SFAA"). In addition to modifying the requirements and process for obtaining a sales finance agency license, the new law also prohibits sales finance agencies from purchasing contracts that violate the state's Retail Installment Sales Act or Motor Vehicle Retail Installment Sales Act. Further, licensed sales finance agencies are prohibited from purchasing motor vehicle retail installment contracts from any person who is not licensed under the Vehicle Code (i.e., unlicensed dealers), not licensed under the SFAA, and not exempt from licensing under the SFAA. Violations of the SFAA can result in revocation or suspension of the sales finance agency's license and fines of up to $25,000 per violation.

H.B. 5290 became effective upon the governor's signature.

Amicus Brief(ly): Companies doing multi-channel business in Illinois may recognize the new limitation on finance companies buying retail installment contracts from unlicensed dealers as the mirror image of the prohibition in the Illinois Consumer Installment Loan Act against licensees selling consummated loans to non-bank buyers that are not licensed under the CILA. Doing business without a state-required license is already a state enforcement issue, given the potential penalties in state law for operating without a required license. But provisions like these also add potential liability and clear business risk that will compel licensees to ensure that their business partners are also appropriately licensed.

Company Providing "Home Equity Agreements" to Homeowners Resolves Claims It Failed to Comply with Colorado UCCC

The administrator of the Colorado Uniform Consumer Credit Code recently signed an Assurance of Discontinuance with a company that offers consumers "home equity agreements," under which, in exchange for a lump sum payment to the consumer, the company gets a percentage interest in the future value of the home, whether the home increased or decreased in value. The company secures its interest under the HEAs by filing a deed of trust on the consumer's home. The HEAs have a 10-year term with an option given to the consumer to buy out the company sooner. At year 10, unless a settlement event has occurred during the term (e.g., sale of the home or the consumer's death), the consumer is obligated to settle the HEA at the end of the term. Consumers can stay in the home during the term and do not make any recurring payments to the company.

The administrator alleged that because the HEAs are "consumer credit transactions" subject to the Colorado UCCC, the company was required to make disclosures in accordance with the UCCC prior to entering into the HEAs and comply with applicable UCCC rate limits and licensing obligations. The administrator alleged that the company disclosed to consumers an "annualized cost" and not an annual percentage rate. The "annualized cost" table displays various possible cost scenarios based on different assumptions for future home value and term length and not a loan finance charge rate. The "annualized cost" calculation also allegedly did not include the 3% to 4.9% origination fee.

Under the AOD, the company is required to pay $390,783 in restitution to affected consumers and comply with the Colorado UCCC.

Amicus Brief(ly): Home equity agreements are complex investment transactions that are specifically designed to function like investments, not loans. But the product has been the subject of scrutiny by the Consumer Financial Protection Bureau and some states over the years as it has gained market traction. Critics identify, among other things, the potential expensive nature of the product for a consumer because, if the property against which a provider makes an HEA advance appreciates over the term of the agreement and the consumer waits to repay the advance for a period that is close to the full term of the agreement, the payout can be substantial. But the product has features that can appeal to consumers: it's asset-based, so the underwriting of it does not focus on the consumer's creditworthiness the way underwriting for a traditional home equity loan or line of credit does; it does not feature a periodic payment requirement; the advance does not bear interest; and it gives consumers access to their home equity when they may need cash but do not want a loan that bears interest and requires a monthly payment. In this case, the Colorado AOD requires the provider to provide restitution to customers in an average amount of just under $2,350, and the financial penalty payable to the state was less than $40,000. These are reasonably modest numbers, suggesting that Colorado may have recognized in the negotiations that its footing on the UCCC claims was imperfect given the nature of the HEA product. A few states (e.g., Maine and Illinois) have adopted statutes to specifically regulate the HEA (or HEI ("home equity investment")) product. As the product expands in the market, more states may do the same, focusing on the differences between the investment product and a traditional loan.


1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.