InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enacts new powers for regulators to examine third parties
On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.
Connecticut becomes latest state to ban medical debts in credit reporting
On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.
NYDFS releases its Cybersecurity Program Template
On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval.
Maryland updates prohibited items reported on consumer credit reports
On May 9, the Governor of Maryland approved SB 41 (the “Act”) which will change the requirements on prohibitions for consumer reporting agencies as to what information they may include in consumer credit reports.
The Act will prohibit consumer reporting agencies from reporting bankruptcies more than 10 years before the credit report would be issued, suits and judgments of more than seven years, paid tax liens greater than seven years, accounts placed for collection of more than seven years, arrest records or other crime reports of greater than seven years, and “any other adverse information that predates the report” by more than seven years. These reporting prohibitions do not apply to credit transactions with a principal amount of at least $150,000, as well as both the underwriting of life insurance with a face value of at least $150,000 or the employment of someone with a salary of at least $75,000. The Act will go into effect on October 1.
Tennessee amends consumer debt proceeding requirements and garnishment exemptions
On May 3, the Governor of Tennessee signed into law HB 2320 (the “Act”), which will amend pleading requirements for consumer debt suits and garnishment exemptions. The Act would require that, in a civil suit or arbitration requesting judgment on a consumer debt, the plaintiff creditor would provide the following in the initial pleading: (i) if the debtor’s agreement does not exist, then provide written evidence of the debtor’s agreement or a document provided to the debtor while the account was active; (ii) a statement that the debt has been transferred or assigned; (iii) the date of the transfer or assignment; (iv) the name of any prior holders of the debt; and (v) the name or a description of the original creditor. Additionally, the Act will amend Tennessee’s garnishment provisions to automatically exempt them from execution, seizure, or attachment funds up to $2,500 in a debtor’s deposit account with a bank or financial institution. The Act will go into effect on July 1.
Georgia amends provisions for telemarketing provisions for defendants
On May 6, Georgia enacted SB 73 (the “Act”), which amends, among other things, Georgia’s telemarketing laws. The Act clarifies that no person or entity can make or cause any telephone solicitation violations, now on behalf of another person or entity, and sets forth that there is a private right of action against violators. The Act also amends the damages to be the actual monetary loss for each violation or a violation up to $1,000 in damages, whichever is greater. However, if a class action lawsuit is brought under the Act, the $1,000 in statutory damages would not apply. The Act further provides that ignorance would not be a valid defense if a defendant did not make or was not aware how a telephone solicitation violated applicable laws. However, it is defensible if the defendant had established policies and procedures to prevent violations, and enforced such procedures, or if a phone number was provided in error so long as the defendant did not have any knowledge of the mistake.
Tennessee amends its Consumer Protection Act
Recently, the Governor of Tennessee signed into law HB 2711 (the “Act”) which amends, among other things, the state’s Consumer Protection Act. In particular, the Act establishes the factors that a court may consider when determining a civil penalty for violation of the Consumer Protection Act. The court may consider (i) the defendant’s participation in the attorney’s general complaint resolution process; (ii) and the defendant’s restitution efforts prior to the action; (iii) whether there was good or bad faith; (iv) injury to the public; (v) one’s ability to pay; (vi) the public’s interest in eliminating the benefits derived by the violator; and (vii) the state’s interest. Additionally, the Act expands its protection of elderly people to “specially targeted consumers” which includes persons who are at least 60 years old, persons under 18, and current and former military service members. Persons who are found to have targeted specially targeted consumers can be liable for penalties up to $10,000. Furthermore, the Act makes other changes such as procedural requirements for actions brought by the attorney general. The Act is effective immediately.
Florida enacts new requirements for payment transaction classification
On May 2, the Governor of Florida signed into law HB 939 (the “Act”) which, among other things, will expand the definition of “depository institution” and amend the requirements for information returns relating to payment-card and third-party network transactions.
As it will relate to Florida’s commercial financing disclosure law, the Act will expand the definition of “depository institution” to mean a bank, credit union, savings or thrift association, or an industrial loan company doing business under the authority of a charter issued by the U.S., Florida, or any other state or territory which is authorized to transact business in Florida and is insured by the FDIC or NCUA Share Insurance Fund.
Additionally, the Act will require third-party settlement organizations handling transactions for participating payees located in Florida to establish a system to identify whether transactions are for goods and services or are personal payments. Third-party settlement organization will be required to create a mechanism that clearly obligates the sender to classify the transaction type prior to completion. The Act will also set forth how the sender of the payment will be responsible for categorizing the transaction accurately. Furthermore, third-party settlement organizations will be instructed to keep detailed records that reflect the transaction type as specified by the sender. However, this requirement will not be applicable to third-party settlement organizations that are contractually bound to process transactions exclusively for goods and services. The Act will define “participating payee,” “third party network transaction,” and “third party settlement organization” as defined by the Internal Revenue Code. The Act will go into effect July 1.
Oklahoma amends SAFE Act licensing provisions
On April 29, Oklahoma enacted SB 1492 (the “Act”) which amends the Oklahoma Secure and Fair Enforcement for Mortgage Licensing Act by, among other things, expanding the definition of “mortgage broker” to include servicing a residential mortgage, defining “servicing” to include holding servicing rights, as well as significantly adjusting fees and annual assessments for licensees. With respect to mortgage servicing, the law defines servicing as “the administration of a resident mortgage loan following the closing of such loan” and further states that an entity will be serviced if it “either holds the servicing rights, or engages in any activities determined to be servicing, including: (a) the collection of monthly mortgage payments; (b) the administration of escrow accounts; (c) the processing of borrower inquiries and requests; and (d) default management.” The definition of “mortgage lender” already includes an entity that “makes a residential mortgage loan or services a residential mortgage loan” and will be approved by HUD, Fannie Mae, Freddie Mac, or Ginnie Mae. The Act adds a new section allowing licensees to permit their employees and independent contractors to work at remote locations, subject to certain conditions regarding policies and procedures for customer contact information and data, maintenance of physical records, and prohibitions on in-person customer interactions, among other things. Finally, the Act will add or amend certain fees and their annual assessment determinations, including assessments based on loan volumes for originated loans and others for serviced loans during the assessment period. The Act will go into effect on November 1.