InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Kentucky makes wholesale amendments to its financial services code
On April 9, the Governor of Kentucky signed into law HB 726 (the "Act"), an act that will make substantial amendments to the state’s regulation of financial services under Chapter 286 of the Kentucky Financial Services Code. Of note, the Act will update key definitions under the state’s financial services code, including “Bank,” “Company,” “Control,” and “Deposit.” Some of the changes will amend certain powers to the financial commissioner, an appointed position by the Governor, as well as the banking experience requirements for this position. The Act also, among other things, addresses in- and out-of-state trust company rules; banking activities rules for foreign and out-of-state financial companies; bank mergers and reviews by the commissioner; bank closures; bank loan compliance under 12 U.S.C. sec. 371c (prohibiting acceptance of a security from a bank’s affiliate); the commissioner’s rules to remove any officer, director, or employee of a bank via written notice; and mortgage loan license fees, including annual assessments.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
Arizona enacts new money transmission requirements
On April 8, the Governor of Arizona signed into law SB 1034 which will amend money transmission requirements for licensees. The new law will require a licensee, before transmitting any money (either in person or electronically), to provide consumer fraud warnings on the associated risks and dangers, instructions on how to stop a money transmission (if that option is available), and a statement that the money not be returned after the transmission is completed. The law will not apply to (i) an electronic funds transfer to another person that is not available for immediate use, (ii) electronic funds transfers made with a gift certificate, and (iii) a licensee that can provide proof of presenting its employees an annual fraud prevention training that covers “the indicia of fraud associated” with electronic money transfers. The law will go into effect on July 7 (90 days after enactment).
Seventeen State Attorneys General comment on CFPB overdraft proposal
State attorneys general (AGs) from 17 states recently sent a letter to the CFPB endorsing its proposed rule to amend TILA. The 17 states included New York as principal, California, Colorado, Connecticut, Delaware, the District of Columbia, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, North Carolina, Oregon, Pennsylvania, and Washington. As previously covered by InfoBytes, the proposed amendments would treat overdraft credits as loans, which would make them subject to consumer protections.
The AGs argued that the historical basis for excluding overdraft fees from TILA protections would be obsolete due to how the fees are assessed, the high fee amount, and the large number of overdraft transactions. The AGs wrote that closing the loophole would protect consumers by providing customers with disclosures so they can better understand the cost and enable them to comparison shop. The AGs supported a benchmark fee of $3, which is the lowest fee amount proposed by the CFPB, and argued that even a $6 fee would “undercount the volume of transactions generating a fee post-enactment” of the proposed rule. Finally, the AGs urged the CFPB to extend the proposed rule to both “very large financial institutions” (those with more than $10 billion in assets) and small financial institutions.
Washington enacts SB 6025 addressing certain lending practices
On March 25, the Governor of the State of Washington signed SB 6025 (the "Act”) into law. The Act would prohibit covered entities from (i) making loans disguised as personal property sale or leaseback transactions; (ii) offering cash rebates as a cover for installment sales; or (iii) making loans with interest rates or charges surpassing legal limits, among other things. The Act also amended portions of Washington State’s Consumer Loan Act (CLA). The Act would provide that non-bank services companies may be lenders under the CLA if such company would hold the “predominate interest in the loan” or “totality of the circumstances indicate that the [company] is the lender.” These changes will go into effect on June 6.
Kansas updates UCCC provisions including credit card surcharges
On March 29, the Governor of Kansas signed into law HB 2247, a comprehensive bill that updated UCCC provisions in an effort to regulate the credit industry more efficiently, and moved provisions from the UCCC to the Kansas Mortgage Business Act, among other things. The bill amended provisions relating to credit card surcharges—allowing retailers and other persons to impose a surcharge on a customer who uses a credit card payment if such retailer or person provided a clear and conspicuous disclosure of the surcharge amount at the point of entry or sale or in advance of the transaction. The bill nearly tripled the “threshold amount” on certain consumer loans and leases from $25,000 to $69,500. The bill also clarified license requirements, among other things. HB 2247 will go into effect on July 1.
Maine amends its telephone solicitor violations to include the reassigned numbers database
On March 25, the Governor of Maine approved a new bill, HP 1433, that would require telephone solicitors to leverage the reassigned numbers database. As previously covered by InfoBytes, the FCC created the reassigned numbers database in 2018 to reduce the number of calls inadvertently made to reassigned numbers. This new law would ban telephone providers from calling an individual in combination with the previously codified violations regarding the national or state do-not-call registries. The new law stated that a telephone solicitor would not violate the new law if the solicitor could demonstrate that he used the reassigned numbers database to verify that a person’s telephone number has not been reassigned before calling it. This bill will go into effect on July 16.
West Virginia enacts act to prevent unfair real estate service agreements
Recently, West Virginia passed a new law, HB 5346, titled the Unfair Real Estate Services Agreements Act (the “Act”). This new Act will amend the Code of West Virginia with respect to real estate service agreements. The Act would make the entering into of an “Unfair Real Estate Services Agreement” a deceptive act, including any real estate services agreement between a licensed real estate service provider and a consumer that included terms that would purport to run with the land or be binding to future owners of interest, purport to create a property lien, allow for assignment of the contract without timely notification to the owner of the property, or create a listing agreement for a property that has been listed for over a year past its listing date. Under the law, any unfair real estate service agreement created after the bill’s effective date would be void, and parties may bring a civil action against a real estate service provider. The Act will go into effect on June 6.
West Virginia updates its bank recordkeeping requirements to equate copies with originals
On March 27, the Governor of West Virginia signed into law HB 4837, which amended the state’s general banking services code to permit banks to photographically or photo-statically reproduce its checks, documents, records, or other instruments (other than notes, securities, and investments) and use such photographic copies (e.g., scans) as substitutes for the originals. Under the law, the photographic copy would be deemed an original counterpart, having the same force and effect as the original, and would constitute admissible evidence in court. While the law would permit the bank to destroy the original copy, the bank must retain either the original or photographic reproductions of the documents for five years from the date of the last entry. Finally, the law would limit actions against any bank for “any balance, amount or proceeds from any time, savings or demand deposit account based on the contents of records” to a five-year retention period. This bill will go into effect after 90 days from passage: June 6.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.