Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On March 2, New York Governor Kathy Hochul announced actions to strengthen New York Department of Financial Services (NYDFS) enforcement of sanctions against Russia, including the expedited procurement of additional blockchain analytics technology to bolster the ability to detect exposure among NYDFS-licensed virtual currency businesses to Russian individuals, banks, and other entities that the Biden administration has sanctioned, which is intended to strengthen the ability to enforce anti-money laundering and Bank Secrecy Act laws. For more information, click here.
  • On March 1, the Consumer Financial Protection Bureau (CFPB) released a report about the nature of the medical billing system in the U.S. The report concludes that the U.S. health care system is supported by a billing, payments, collections, and credit reporting infrastructure where mistakes are common, and where patients often have difficulty getting these errors corrected or resolved. For more information, click here.
  • On March 1, the Federal Reserve Board invited public comment on a supplement to its May 2021 proposal intended to ensure that Federal Reserve Banks use a transparent and consistent set of factors when reviewing requests to access Federal Reserve accounts and payment services. For more information, click here.
  • On February 28, the CFPB issued a compliance bulletin regarding inadvertent repossessions of automobiles, reminding the industry of guidance previously issued by the CFPB in several editions of Supervisory Highlights and a 2020 consent order. For more information, click here.
  • On February 28, U.S. Representative Steve Cohen introduced the Keeping Evictions Off Credit Reports Act in the House of Representatives, which would prohibit evictions that were related to the COVID-19 pandemic from appearing on those individuals’ credit reports. For more information, click here.
  • On February 25, the NYDFS issued guidance to all individuals and entities subject to its regulation due to the rapidly evolving situation in Ukraine, following the Russian invasion and the imposition of sanctions, in particular businesses engaged in virtual currency activity. For more information, click here.

State Activities:

  • On March 4, New York Attorney General Letitia James launched a rulemaking process to “look into whether major corporations are using the pandemic and inflation as an excuse to unfairly raise the price of basic goods.” Attorney General James stated, “Throughout the pandemic, hardworking New Yorkers have been struggling to make ends meet, but big corporations have been celebrating record breaking profits. It doesn’t add up. My office is prepared to use every tool in our toolbox to crack down on price gouging and pandemic profiteering.” According to the press release announcing the rule launch, this is the “first-ever price gouging rulemaking process by the Office of the Attorney General.” For more information, click here.
  • On March 2, California Attorney General Rob Bonta announced “a nationwide investigation into TikTok, Inc. for promoting its social media platform to children and young adults while its use is associated with physical and mental health harms to youth.” Attorney General Bonta stated, “Our children are growing up in the age of social media — and many feel like they need to measure up to the filtered versions of reality that they see on their screens … We know this takes a devastating toll on children’s mental health and well-being. But we don’t know what social media companies knew about these harms and when.” According to the press release, the investigation will focus “on the techniques utilized by TikTok to boost young user engagement, including strategies or efforts to increase the duration of time spent on the platform and frequency of engagement with the platform.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On March 3, the final version of the Utah Consumer Privacy Act (UCPA) was sent to Utah’s governor for final signature. The UCPA passed both chambers of Utah’s legislature with bipartisan support, and, if signed, would make Utah the fourth state in the country to adopt a comprehensive state privacy law. The final version of the UCPA would go into effect December 31, 2023 , and its substantive requirements closely mirror those found in the Virginia Consumer Data Protection Act (VCDPA). The UCPA does not include a private right of action, and businesses are provided a 30-day right to cure with regards to actions brought by the attorney general. For more information, click here.
  • On March 2, Florida’s House of Representatives passed HB-9, a comprehensive privacy bill, with strong bipartisan support. This legislation is now being considered by the Florida Senate, which must act quickly, as the 2022 legislative session in Florida ends on March 11. Notably this law would create a private right of action, under which consumers could seek $100-$700 per incident. There is still significant uncertainty regarding the future of this legislation, as the Senate has been considering a separate privacy bill that is materially different from HB-9. For more information, click here.
  • On March 1, the U.S. Senate unanimously approved the Strengthening American Cybersecurity Act of 2022. Notably this legislation would require critical infrastructure entities (e.g., energy, communications, transportation systems, etc.) to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Furthermore, under this legislation, cyber incidents that involve ransomware payments would need to be reported within 24 hours. The legislation is now with the House of Representatives, where it is expected to be taken into consideration shortly. For more information, click here.