To keep you informed of recent activities, below are several of the most significant federal and state events that have influenced the Consumer Financial Services industry over the past week:

Federal Activities

State Activities

Federal Activities:

• On October 24, the Consumer Financial Protection Bureau (CFPB) issued a circular purporting to clarify the obligations of employers under the Fair Credit Reporting Act (FCRA) when utilizing such reports for hiring, promotion, reassignment, or retention purposes. The central question the circular poses is whether employers can make employment decisions using background dossiers, algorithmic scores, and other third-party consumer reports without adhering to the FCRA. The CFPB’s response is an unequivocal: No. Employers must comply with FCRA obligations when using these types of consumer reports. Additionally, according to the CFPB, third-party providers furnishing these reports are considered “consumer reporting agencies” under the FCRA. These agencies must, among other things, follow reasonable procedures to ensure maximum possible accuracy, disclose information to workers upon request, and investigate disputes alleging inaccuracies. For more information, click here.
• On October 23, the Electronic Security Association, Interactive Advertising Bureau, and NCTA – The Internet & Television Association filed a petition for review in the U.S. Court of Appeals for the Fifth Circuit seeking to vacate the Federal Trade Commission’s (FTC) final amendments to its Negative Option Rule, now retitled the Rule Concerning Recurring Subscriptions and Other Negative Option Programs. The rule, which is set to take effect 180 days after publication in the Federal Register, is purportedly aimed at stopping deceptive and unfair practices in negative option marketing. The plaintiffs’ petition argues that the rule is arbitrary, capricious, and an abuse of discretion under the Administrative Procedure Act. They also contend that the rule is unsupported by substantial evidence and exceeds the FTC’s statutory authority. For more information, click here.
• On October 22, the CFPB issued its final rule on personal financial data rights. Under the final rule, consumers will have the right to: access their financial data and authorize third parties to access this data on their behalf; revoke access to their data immediately, ensuring that third parties cease data collection and use upon revocation; and benefit from standardized and machine-readable data formats, promoting consistency and reliability in data transmission. The CFPB has delayed the timeline for compliance by 10 months and provided a tiered compliance schedule, giving larger financial technology companies until April 1, 2026 to comply, while the smallest entities have until April 1, 2030. The same day the final rule was released, Forcht Bank, N.A, Kentucky Bankers Association, and Bank Policy Institute filed a complaint for declaratory and injunctive relief asserting that the CFPB overstepped its statutory authority and finalized a rule that “jeopardizes consumers’ privacy, financial data, and account security.” For more information, click here.
• On October 22, the Financial Crimes Enforcement Network (FinCEN) announced it had entered into a consent order imposing a civil money penalty of $900,000 against Sahara Dunes Casino, LP, dba Lake Elsinore Hotel and Casino, for violations of the Bank Secrecy Act and its implementing regulations. The investigation revealed that Lake Elsinore, a medium-sized card club offering card games such as poker, failed to implement an effective anti-money laundering (AML) program, neglected to file required Currency Transaction Reports and Suspicious Activity Reports, and did not maintain proper records including maintaining a negotiable instruments log that lists each transaction between the card club and its customers involving monetary instruments with a face value of $3,000 or more. The card club admitted to these violations and agreed to the consent order, which includes a suspended penalty of $50,000 contingent on compliance with specific undertakings, such as hiring an independent consultant to review its AML program. For more information, click here.
• On October 22, the Financial Stability Board (FSB) recently published a status report on its G20 crypto-asset policy implementation roadmap. This report highlights the progress made by jurisdictions in developing and revising regulatory frameworks for crypto-assets and stablecoins, as guided by the International Monetary Fund (IMF), FSB, and standard-setting bodies (SSBs). Nearly all FSB member jurisdictions have plans or existing frameworks in place. To support global implementation, the IMF, FSB, SSBs, and the Financial Action Task Force have organized workshops, outreach sessions, and capacity-building programs. Despite these advancements, challenges such as inconsistent implementation, regulatory arbitrage, and noncompliance persist, particularly with cross-border crypto-asset activities. The report emphasizes the need for specific regulatory requirements for stablecoins due to their susceptibility to sudden loss of confidence and potential runs. The IMF and FSB, along with other international organizations, will continue to promote a coordinated global policy approach, with the FSB planning a review of the implementation status by the end of 2025. For more information, click here.
• On October 21, Securities Exchange Commission (SEC) Chair Gary Gensler addressed the SIFMA 2024 Annual Meeting in Washington, D.C., emphasizing the necessity of continuous improvement in equity markets. Reflecting on the GameStop events of 2021, Gensler highlighted the significant technological and business model changes since the last comprehensive update of equity market rules in 2005. He noted the shift to electronic trading, the rise of off-exchange transactions, and increased investor participation. Gensler outlined recent SEC initiatives, including updates to equity market structure, clearing processes, and transparency in short selling and securities lending. For more information, click here.
• On October 21, the Federal Communication Commission’s (FCC) Privacy and Data Protection Task Force announced new partnerships with the attorneys general (AG) of Massachusetts, Maine, Vermont, Delaware, and Indiana to enhance privacy, data protection, and cybersecurity enforcement. These partnerships, formalized through memoranda of understanding, enable federal and state enforcement leaders to share expertise, resources, and coordinate efforts to protect consumers. The FCC’s new partnerships join existing partnerships with the AGs of Connecticut, Illinois, New York, Oregon, Pennsylvania, and the District of Columbia. FCC Chairwoman Jessica Rosenworcel emphasized the importance of these collaborations for maintaining consumer privacy and addressing data breaches with urgency. The state AGs expressed their commitment to leveraging these partnerships to combat fraud, scams, and data breaches, thereby safeguarding consumer data. For more information, click here.
• On October 20, the Global Digital Asset & Cryptocurrency Association (Global DCA) announced the Proposed Information Guidelines for Certain Tokens Made Available in the U.S. This voluntary framework, developed in collaboration with the Global Blockchain Business Council, The Digital Chamber, and the Proof of Stake Alliance, aims to enhance transparency and enable informed decision-making in the digital asset market. The guidelines were crafted by a senior steering committee composed of prominent attorneys and scholars in blockchain and digital assets and advised by an advisory committee of key industry stakeholders. The framework focuses on native distributed ledger technology tokens and aligns with U.S. regulations and global standards, such as the EU’s Markets in Crypto-Assets Regulation. While the guidelines do not mandate disclosures, they provide a comprehensive model for voluntary adoption. Public comments are invited until January 31, 2025. For more information, click here.
• On October 18, the FCC’s Enforcement Bureau issued a public notice to all U.S.-based voice service providers regarding substantial volumes of apparently unlawful robocalls transmitted by Identidad Advertising Development LLC. The notice, pursuant to section 64.1200(k)(4) of the FCC’s rules, allows providers to block calls from Identidad if it fails to mitigate the identified traffic within 48 hours or implement effective measures to prevent new illegal calls within 14 days. Identidad has been identified by USTelecom’s Industry Traceback Group as a gateway provider for illegal robocalls impersonating financial institutions. The FCC’s cease-and-desist letter requires Identidad to investigate and block the identified traffic, report the results within 14 days, and take measures to prevent future illegal calls. Failure to comply may result in a final determination order mandating all downstream providers to block Identidad’s traffic. For more information, click here.
• On October 17, the Federal Deposit Insurance Corporation (FDIC) announced a delay in the compliance date for the new sign and advertising requirements for insured depository institutions (IDIs) under subpart A of its final rule, which was initially adopted on December 20, 2023. The amendments, which took effect on April 1, 2024, originally required full compliance by January 1, 2025. However, based on feedback from IDIs and other banking industry participants who requested additional time to update their systems and processes, the FDIC has extended the compliance date to May 1, 2025. This extension aims to provide IDIs with the necessary time to implement the new regulatory requirements effectively. The compliance date for amendments to subpart B remains January 1, 2025. The FDIC has also addressed industry questions through published “Questions and Answers” and plans to release additional guidance by November 30, 2024, to facilitate compliance. For more information, click here.
• On October 17, the U.S. District Court for the Central District of California denied SoLo Funds, Inc.’s (SoLo) motion to dismiss the CFPB first amended complaint. The CFPB had filed the complaint on August 20, alleging that SoLo, a fintech company operating a small-dollar, short-term lending platform, violated the Consumer Financial Protection Act and the Fair Credit Reporting Act (FCRA). The court found that the CFPB’s claims, which included deceptive advertising, misleading disclosures, and unfair, deceptive, and abusive acts and practices related to loan servicing and collection, were sufficiently plausible to proceed. The court also rejected SoLo’s argument that the CFPB’s funding source invalidated its authority to bring the suit, stating: “The Court need not determine how to interpret § 5497, however, since SoLo has not persuaded the Court that the Bureau’s source of funding — even if illegitimate — is grounds for dismissal.” Additionally, the court ruled that the CFPB had adequately alleged that SoLo’s practices violated state licensing requirements and usury caps, and that SoLo failed to ensure the accuracy of consumer credit information as required by the FCRA. Consequently, the court denied SoLo’s motion to dismiss in its entirety. For more information, click here.
• On October 16, the FDIC announced an extension of the comment period for its proposed rulemaking on the Change in Bank Control Act (CBCA). Initially published on August 19, the proposed rule aims to amend the regulations regarding advance notice requirements for certain acquisitions of voting securities of FDIC-supervised institutions. Originally set to close on October 18, the comment period has now been extended to November 18. This extension provides interested parties with additional time to thoroughly analyze the proposal and submit their comments. For more information, click here.
• On October 16, the Federal Housing Finance Agency (FHFA) announced a proposed rulemaking to revise regulations concerning the boards of directors and overall corporate governance of the Federal Home Loan Banks (banks) and the Bank System’s Office of Finance. The proposed rule aims to update and clarify regulatory requirements on various topics, including the annual designation of bank directorships, director eligibility and qualifications, nomination and election processes, board and committee meetings, conflicts of interest, and the responsibilities of boards and executive management. The proposed changes also address action items from FHFA’s “FHLBank System at 100: Focusing on the Future Report” and feedback from the April 2023 Notice of Regulatory Review. Written comments on the proposed rule must be received within 90 days of its publication in the Federal Register. For more information, click here.

State Activities:

• On October 24, Washington, D.C. AG Brian L. Schwalb announced that Universal Title will pay $500,000 following an investigation that uncovered an illegal title insurance kickback scheme. The AG determined that Universal offered real estate agents discounted ownership interests and profit-sharing in entities designed to incentivize business referrals to Universal. This conduct violated D.C.’s Consumer Protection Procedures Act by restricting homebuyers’ ability to shop for the best price and service, and by harming law-abiding competitors. Under the terms of the agreement, Universal will pay $500,000, with a portion allocated for consumer restitution. Additionally, Universal will cease giving real estate agents consideration for referrals and will either end its title insurance operations in D.C. or divest agents from their ownership interests in the spin-off companies. For more information, click here.
• On October 22, the New York City Department of Consumer and Worker Protection (DCWP) announced a delay in the enforcement of its recently amended debt collection rules until April 1, 2025. The announcement comes just two business days after ACA International, Inc. and Independent Recovery Resources, Inc. filed a complaint in the Eastern District of New York against New York City Mayor Eric Adams, the DCWP, and the DCWP commissioner. The plaintiffs seek declaratory and injunctive relief to prevent the enforcement of the rules, arguing that they are unconstitutional and preempted by federal and state law. While the effective date of the new rules remains December 1, the DCWP’s decision to delay enforcement provides a grace period for compliance. For more information, click here.
• On October 21, Minnesota AG Keith Ellison announced a settlement with two debt settlement companies, Financial Solutions Group and Accelerated Debt Settlement. The companies were alleged to have: promised to negotiate debt settlements with creditors but allegedly collected fees before performing any services; misrepresented their services or created the likelihood of consumer confusion regarding their services; operated without the required registration with the Minnesota Department of Commerce. The companies are permanently enjoined from conducting any debt settlement business in Minnesota without proper registration and compliance with state laws and must pay $1,081,756.59, representing the total amount collected from Minnesota consumers. For more information, click here.
• On October 11, the Office of Administrative Law approved the California Department of Financial Protection and Innovation’s proposed regulations on direct-to-consumer (i.e., nonemployer offered) earned wage access (EWA) products. The final regulations include several key provisions: direct-to-consumer EWA products are classified as loans under the California Financing Law (CFL); providers of EWA products must register with the state and comply with specific regulatory requirements, in lieu of licensure under the CFL; the regulations define “charges” to include gratuities and expedited payment fees. The regulations will become effective on February 15, 2025. For more information, click here.