Consistent with state data breach notification laws, the Neiman Marcus Group, LLC publicly announced in January 2014 that its customers’ payment card information had potentially been compromised at 77 Neiman Marcus retail locations between March 2013 and January 2014. In total, 370,000 credit cards were compromised as a result of the intrusion, and at least 9,200 credit cards are known to have been used fraudulently.

Almost five years later, state attorneys general from 43 states and the District of Columbia entered into an Assurance of Voluntary Compliance with Neiman Marcus, closing the Multistate’s investigation after Neiman Marcus agreed to pay a $1.5 million civil penalty. Additionally, this Multistate settlement ensures that the business will take the following actions:

  1. Ensure that storage, process, and transmission of credit card data comply with the Payment Card Industry Data Security Standard;
  2. Maintain an appropriate system to collect and monitor network activity to report suspicious activity, including activity logs that are regularly reviewed and monitored in near real-time;
  3. Maintain agreements with at least two qualified Payment Card Industry forensic investigators;
  4. Update software associated with protecting cardholder data and create a written plan for updating and replacing this software;
  5. Implement steps to review and ensure that its practices are consistent with industry-accepted payment card technologies, such as use of chip and PIN technology;
  6. “Devalue payment card information” through encryption and tokenization and other methods “to obfuscate payment card information throughout the course of retail transaction” at Neiman Marcus retail locations; and
  7. Engage a third-party assessor who will report on the safeguards utilized by Neiman Marcus to meet its information security program goals and provide this report to the signatory state attorneys general.

Attorneys general for Illinois and Connecticut led the investigation. Additionally, a class action settlement related to this data breach has already been filed, and affected claimants were able to receive a payment of up to $100. The claim period for this class action ended in 2018.

This is already the third Multistate settlement this year. Specifically, state attorneys general have entered into Multistate settlements with for-profit education company Career Education Corporation to resolve claims of unfair and deceptive practices and with Fiat-Chrysler and Bosch related to their installation of defeat device software to conceal actual emissions levels in diesel motor vehicles.

On January 3, 49 state attorneys general announced a settlement with Career Education Corporation (“CEC”), a for-profit education company, to resolve claims that CEC engaged in unfair and deceptive practices.  The settlement requires CEC to forgo any collection efforts against $493.7 million in outstanding loan debt held by nearly 180,000 former students.  It also imposes a $5 million fine on the company.  California was the only state not participating.

CEC operates online courses through American InterContinental University and Colorado Technical University.  CEC’s other brands include Briarcliffe College, Brooks Institute, Brown College, Harrington College of Design, International Academy of Design & Technology, Le Cordon Bleu, Missouri College, and Sanford-Brown.  According to the attorneys general, CEC used “emotionally-charged language” emphasizing the pain in prospective students’ lives to encourage them to enroll in CEC’s schools, deceived students regarding the total costs of enrollment, misled students about the transferability of their earned credits, misrepresented job prospects for graduates, and deceived prospective students about post-graduation employment rates.  The attorneys general contended that students who enrolled in CEC classes incurred substantial debts that they could not repay or discharge, when they otherwise would not have done so absent the misrepresentations.  CEC denied the allegations, but entered into the settlement agreement to resolve the AGs’ claims.

The settlement agreement requires CEC to make improved disclosures to students, including anticipated total direct costs, median debt for completion of CEC’s programs, program default rates, program completion rates, transferability of credits, median earnings for graduates, and job placement rates.  CEC must also improve students’ ability to cancel their enrollment, allowing students no fewer than seven days to cancel and receive a full refund, and up to 21 days for students with fewer than 24 credits from online programs.  In addition, the AGs are requiring CEC to inform all qualifying former students that they no longer owe money to CEC.

The investigation was led by the Maryland Attorney General’s Office.  “CEC’s unscrupulous recruitment and enrollment practices caused considerable harm to Maryland students,” said Maryland Attorney General Brian Frosh.  “The company misled students.  It claimed that students would get better jobs and earn more money, but its substandard programs failed to deliver on those promises.  The school encouraged these students to obtain millions of dollars in loans, placing them at great financial risk.  Now CEC will have to change its practices and forgo collection on those loans.”

A copy of the settlement agreement is available here

A multistate coalition of attorneys general led by District of Columbia Attorney General Karl A. Racine is opposing three resolutions before Congress (S.J. Res. 19, H.J. Res. 62, and H.J. Res. 73) that would block a Consumer Financial Protection Bureau final rule intended to give users of prepaid cards some of the same protections given to users of traditional banking and credit products (the “Final Rule”).  The Final Rule is currently scheduled to go into effect on April 1, 2018.  On April 5, 2017, the coalition sent a letter to congressional leadership, urging opposition to resolutions that would block implementation of the rule.

The letter states that prepaid cards are a rapidly growing market and often used by consumers who have limited or no access to a traditional bank account.  It is becoming more common for consumers to receive wages or financial aid funds for student loans on prepaid cards.  In fact, since 2015, more consumers have been receiving their wages by prepaid cards than by conventional paper checks.  Consumers frequently report concerns to the CFPB about hidden or abusive fees associated with the prepaid cards and fraudulent transactions that deplete funds loaded onto them.  Although prepaid cards are generally designed to avoid overdraft fees, some of the payday lenders who provide funds through these cards have been subjecting consumers to poorly disclosed or undisclosed overdraft fees.

The CFPB’s Final Rule provides certain protections that are afforded to consumers for traditional financial products.  Among the provisions intended to protect consumers, the Final Rule seeks to:

  • Protect prepaid card users against fraud and unauthorized charges;
  • Help consumers avoid hidden fees and encourage them to comparison shop with a simple chart of common fees;
  • Provide convenient, free access to account transactions and account balances;
  • Require employers to inform employees they do not have to receive wages on a prepaid card; and
  • Require prepaid cards to comply with existing credit card laws (including an ability-to-pay analysis, limits on overdraft fees in the first year, and safeguards on how funds are repaid).

The resolutions to stop implementation of the CFPB’s Final Rule have been filed under the Congressional Review Act (“CRA”), meaning that if the rule is blocked by a CRA vote, the CFPB is forever barred from enacting a substantially similar rule unless Congress authorizes it.  Congress has recently revived the CRA as a way to block consumer protections put in place during the Obama administration.

In addition to the District of Columbia, the states signing on to the letter include California, Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Minnesota, Mississippi, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, and Washington.

Attorneys general from twenty-two states today announced that Classmates, Inc. which runs the website classmates.com, and Florists Transworld Delivery, Inc. and FTD.com, Inc. (collectively, “FTD”) have agreed to settle allegations that the companies were involved in misleading, unfair, and deceptive trade practices. Although FTD and Classmates did not admit to wrongdoing, they agreed to pay $11 million under the settlement.

The attorneys general alleged that FTD and Classmates, which were affiliated until 2013, entered into relationships with third-party marketers, such as travel rewards programs and discount clubs. The third-party marketers then used negative opt-out marketing schemes through which consumers would be enrolled in these programs and billed for associated charges unless they affirmatively opted out. Additionally, the attorneys general alleged that FTD and Classmates shared consumer data, including credit card information, so that the consumers could be billed for the charges. Such data-sharing is impermissible under the Restore Online Shoppers Confidence Act of 2010.

Participants in the settlement include the attorneys general of Alabama, Alaska, Delaware, Florida, Idaho, Illinois, Kansas, Maine, Maryland, Michigan, Nebraska, New Jersey, New Mexico, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Vermont, Washington, and Wisconsin.

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On July 7, the Consumer Financial Protection Bureau (CFPB) issued a legal interpretation to ensure that companies that use and share credit and background reports have a permissible purpose under the Fair Credit Reporting Act. The CFPB’s new advisory opinion reiterates that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct. For more information, click here.
  • On July 5, the U.S. Office of Government Ethics issued a new legal advisory titled, “Application of the Securities and Mutual Fund Exemptions to Cryptocurrency, Stablecoins, and Relating Investments,” prohibiting any federal government employee who owns cryptocurrency from working on federal regulations and policies involving cryptocurrencies and stablecoins. For more information, click here.
  • On July 1, the Federal Reserve Board and the Federal Deposit Insurance Corporation announced that they extended the period for issuing feedback for the U.S. global systemically important banks’ 2021 resolution plans to allow the agencies additional time to analyze them. For more information, click here.
  • On July 1, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency released the 2022 list of distressed or underserved nonmetropolitan middle-income geographies. These are geographic areas where revitalization or stabilization activities are eligible to receive Community Reinvestment Act consideration per the “community development” definition under the agencies’ regulations. For more information, click here.
  • On June 29, the CFPB issued an advisory opinion focused on consumer debt collectors and the convenience fees they charge for some payments, such as online or by phone. For more information, click here.
  • On June 28, the CFPB issued an interpretive rule, encouraging states to enact more laws regulating consumer reporting, arguing that the Fair Credit Reporting Act only constrain states’ powers in limited ways. For more information, click here.

State Activities:

  • On July 8, Rhode Island Governor Daniel McKee signed SB 2794/HB 7781 into law, which requires a $50,000 bond for licensed debt collectors in Rhode Island. The bond amount for debt collectors is similar to bond amounts for other businesses in Rhode Island. For more information, click here.
  • On July 7, New York Attorney General Letitia James announced that she has reached a settlement with a residential renting company for failing to return security deposits to New Yorkers, following new changes to security deposit laws. The company purportedly failed to comply with the 2019 changes to the state’s rental laws and did not return security deposits to tenants within 14 days of the tenant vacating the apartment or provide a written itemized list of their reasons for keeping the deposit. Attorney General James stated, “Tenants deserve transparency and accountability from their landlords, and New Yorkers should trust that their security deposit will be returned to them as required by their leases and the law.” For more information, click here.
  • On July 1, North Carolina Attorney General Josh Stein announced a settlement with a company that owns and operates skilled nursing facilities in several states. The settlement with North Carolina and 22 other states resolves allegations that the company billed Medicaid for medically unnecessary rehabilitation therapy services and offered grossly substandard skilled nursing services. “Health care providers have a responsibility to provide quality care for their patients and be responsible stewards of taxpayer resources,” said Attorney General Josh Stein. “When they fail to do so, I will hold them accountable on behalf of North Carolinians.” For more information, click here.
  • On June 24, the Connecticut Department of Banking levied a $10,000 fine against a company for operating as a consumer collection agency in the state without obtaining the proper license. The company voluntarily agreed to the sanctions imposed “solely for the purpose of obviating the need for formal administrative proceedings,” according to the consent order. The company indicated that it was no longer operating as a consumer collection agency in Connecticut without a license. For more information, click here.
  • The Louisiana Office for Financial Institutions (OFI) recently proposed rules governing virtual currency businesses in Louisiana, which follow the mandate set by the Virtual Currency Business Act (VCBA), effective August 1, 2020, requiring virtual currency businesses to hold a license in Louisiana and granting administrative and enforcement authority to OFI. According to OFI, the newly issued rules provide “clear and concise guidance that will allow for the implementation and enforcement of the provisions of the VCBA.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On July 8, the California Privacy Protection Agency (CPPA) announced the commencement of the formal rulemaking process for the California Privacy Rights Act (CPRA). During this rulemaking process, interested parties will have an opportunity to provide feedback on the CPRA’s implementing regulations, a first draft of which was released on June 8. The written comment period for these regulations will close on August 23, and live hearings will be held from August 24-25 in Oakland, CA. For more information, click here.
  • On July 8, President Biden signed an executive order, protecting access to reproductive health care services. Under the order, the Federal Trade Commission (FTC) chair is “encouraged to consider actions … to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.” The order also directs the Health and Human Services (HHS) secretary to consider possible actions, including new guidance under the Health Insurance Portability and Accountability Act (HIPAA), to “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.” For more information, click here.

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On June 26, the Bank for International Settlements released its Annual Economic Report 2022, arguing that global monetary systems should be built upon central bank digital currencies (CBDCs), not cryptocurrencies. For more information, click here.

  • On June 23, the Federal Trade Commission (FTC) proposed a new and historic federal regulation specific to car dealers to address concerns of consumer deception in the sales process. The proposed Motor Vehicle Trade Regulation Rule would:

    • Require price advertising to be based on a standard formula for presenting the “Offering Price” for a vehicle;

    • Require new paperwork in the sales process to confirm that any optional “add-on” products included in a sale are purchased voluntarily with the “Express, Informed Consent” of the consumer; and

    • Prohibit a laundry list of specific kinds of misrepresentations in the sales process.

The commissioners approved the proposal in a 4-1 vote, garnering the support of three Democratic appointees and one Republican appointee, which bodes well for the rule’s final adoption. The FTC seeks comments on the proposed rule within 60 days of the rule’s official publication in the Federal Register. For more information, click here.

  • On June 24, the Consumer Financial Protection Bureau (CFPB or Bureau) announced that it will amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to address recent legislation that assists consumers who are victims of trafficking. This final rule establishes a method for victims of trafficking to submit documentation to consumer reporting agencies, including information identifying any adverse item of information about the consumer that resulted from certain types of human trafficking, while also prohibiting consumer reporting agencies from furnishing a consumer report containing the adverse item(s) of information. As mandated by the National Defense Authorization Act for Fiscal Year 2022, the Bureau is taking this action to assist consumers who are victims of trafficking in building or rebuilding financial stability and personal independence. For more information, click here.

  • On June 23, the Federal Reserve Board released the results of its annual bank stress test, which showed that banks continue to have strong capital levels, allowing them to continue lending to households and businesses during a severe recession. All banks tested remained above their minimum capital requirements, despite total projected losses of $612 billion. Under stress, the aggregate common equity capital ratio — which provides a cushion against losses — is projected to decline by 2.7% to a minimum of 9.7%, which is still more than double the minimum requirement. For more information, click here.

  • On June 22, the CFPB took “the first step toward addressing credit card company penalty policies costing consumers $12 billion each year, starting by looking at excessive late fees.” In an Advance Notice of Proposed Rulemaking, the CFPB asks for information on the Federal Reserve Board of Governors’ 2010 immunity provision for excessive late fees that allows credit card companies to escape enforcement scrutiny. The CFPB seeks data about credit card late fees and late payments, assessing whether those fees are “reasonable and proportional.” It is also requesting data about card issuers’ revenue and expenses, the potential deterrent effect of late fees, and the role late fees play in credit card companies’ profitability. For more information, click here.

  • On June 22, the Office of Information and Regulatory Affairs released the Spring 2022 Unified Agenda of Regulatory and Deregulatory Actions. The report, which includes contributions related to the Securities and Exchange Commission, lists short- and long-term regulatory actions that administrative agencies plan to take. For more information, click here.

  • On June 21, the Department of Justice (DOJ) filed a lawsuit and a settlement framework with Meta Platforms, Inc. (previously known as Facebook) to resolve allegations that Meta’s advertising placement algorithms discriminate against Facebook users based on their race, color, religion, sex, disability, familial status, and national origin in violation of the Fair Housing Act. The DOJ action stemmed directly from the discrimination charge filed by HUD against Facebook in 2019. For more information, click here.

  • On June 21, the Federal Deposit Insurance Corporation (FDIC) issued a notice of proposed rulemaking, applicable to all insured depository institutions, to increase initial base deposit insurance assessment rates by 2 basis points, beginning with the first quarterly assessment period of 2023. The FDIC concurrently adopted an amended restoration plan, which incorporates the increase in initial base assessment rates to raise the reserve ratio to the minimum threshold of 1.35% by the September 30, 2028 statutory deadline. The proposed assessment rate schedules would remain in effect unless and until the reserve ratio meets or exceeds 2% to support growth in the deposit insurance fund in progressing toward the FDIC’s long-term goal of a 2% designated reserve ratio. For more information, click here.

  • On June 17, the CFPB Director Rohit Chopra announced that the CFPB intends to “move away from highly complicated rules” in favor of “simpler and clearer rules.” As part of this effort, the CFPB will “dramatically [increase] the amount of guidance it [provides] to the marketplace,” while intending such guidance to be simple and straight forward. For more information, click here.

  • On June 15, in a keynote address at the Consumer Federation of America’s 2022 Consumer Assembly, CFPB Deputy Director Zixta Martinez squarely took aim at “rent-a-bank schemes” in some of the first (if not the first) such comments by a senior CFPB official. Historically, the CFPB confines itself to “true lender” litigation against participants in high-rate programs involving Native American tribal parties (and not banks) already challenged by state enforcement authorities. We view Deputy Director Martinez’s comments as potentially signaling more widespread pursuit of this theory by the CFPB. For more information, click here.

State Activities:

  • On June 22, Pennsylvania Attorney General Josh Shapiro announced, as part of a coalition of 46 attorneys general, a $1.25 million multistate settlement with Florida-based Carnival Cruise Line (Carnival), stemming from a 2019 data breach involving the personal information of 180,000 Carnival employees and consumers nationwide. While Carnival publicly reported the breach in March 2020, notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in May 2019 — 10 months before Carnival reported the breach. “When personal data is exposed to bad actors, it’s essential that consumers are notified as quickly as possible,” said AG Shapiro. “Added delays increase the possibility of that personal data being used for nefarious purposes.” For more information, click here.

  • On June 21, Connecticut Attorney General William Tong and Department of Consumer Protection Commissioner Michelle Seagull advised homeowners interested in residential solar panels to do careful research and be wary of misleading marketing and high-pressure sales tactics by solar companies. Attorney General Tong and Commissioner Seagull “warned consumers to pay particular attention to: whether their home gets adequate sun exposure to justify the solar panel investment, whether their current roof will need replacement during the projected life of the solar panels, how tax credits and refunds work, the effect solar panels may have on their home’s value, and how selling their home would be affected if leasing solar panels.” For more information, click here.

  • On June 8, the New York State Department of Financial Services (NYDFS) issued new guidance on issuing U.S. dollar-backed stablecoins, establishing first-of-its-kind state standards for USD-backed stablecoins issued by entities subject to NYDFS regulation. Informal policies have been in place since 2018, but NYDFS Superintendent Adrienne A. Harris believes this new guidance “creates clear criteria for virtual currency companies looking to issue USD-backed stablecoins in New York.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On June 23, the House Subcommittee on Consumer Protection and Commerce unanimously passed an amended draft of the American Data Privacy and Protection Act (ADPPA). This legislation would create a comprehensive federal privacy regime and would preempt most existing state privacy laws. The ADPPA now moves to the House Committee on Energy and Commerce, which will consider this legislation next month. If passed by the House, this legislation may face significant challenges in the Senate where key leadership members have indicated that the legislation’s current version would not advance. For more information, click here.

  • On June 21, President Biden signed the State and Local Government Cybersecurity Act of 2021 (S.2520), which updates the Homeland Security Act and directs the Department of Homeland Security to improve information sharing and coordination with state, local, and tribal governments. This legislation encourages federal cybersecurity experts to share information regarding cybersecurity threats, vulnerabilities, and breaches, as well as resources to prevent and recover from cyberattacks. The law also builds on previous efforts by the Multi-State Information Sharing and Analysis Center (MS-ISAC) to prevent, protect, and respond to future cybersecurity incidents. For more information, click here.

Please join Troutman Pepper Partner Chris Willis and guests Troutman Pepper Associates Chris Carlson and Susan Nikdel as they discuss the multistate coalition of state attorneys general calling on many of the nation’s largest banks to eliminate overdraft fees. The conversation focuses on what was done, which state attorneys general participated, the current controversy surrounding overdraft fees, and several key takeaways for the industry going forward.

As a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, Chris Carlson represents clients in regulatory, civil, and criminal investigations and litigation. As a member of the firm’s Consumer Financial Services Practice Group, Susan Nikdel represents clients in financial services litigation, as well as clients facing regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation.

Continue Reading State Attorneys General Call on Financial Giants to Eliminate Overdraft Fees

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On May 6, the Federal Trade Commission joined the Consumer Financial Protection Bureau (CFPB) in filing an amicus brief with the U.S. Court of Appeals for the Second Circuit. The brief asks the court to overturn a lower court decision, which held that a consumer reporting agency was not liable for failing to investigate a wrongfully reported debt because the inaccuracy was “legal” and not “factual.” For more information, click here.
  • On May 5, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of Currency issued a proposal to strengthen and modernize regulations, implementing the Community Reinvestment Act (CRA) to better achieve the purposes of the law. Enacted 45 years ago, CRA encourages banks to help meet the credit needs of their local communities. For more information, click here.
  • On May 3, the CFPB issued an advisory after student loan borrowers submitted complaints regarding companies that promised them student loan forgiveness or loan forbearance in exchange for fees amounting to hundreds or thousands of dollars. Borrowers believed they spoke to their servicers or companies authorized by the Department of Education because they often knew private information, such as the borrower’s loan balance or recent consolidation activity. For more information, click here.
  • On May 2, the CFPB released its Supervisory Highlights report on legal violations identified during the CFPB’s supervisory examinations in the second half of 2021. The report details key findings across consumer financial products and services. For more information, click here.
  • On April 28, the Joint Chiefs of Global Tax Enforcement (J5) announced the release of an intelligence bulletin, warning banks, law enforcement personnel, and private citizens of some of the dangers when dealing with non-fungible tokens (NFTs). The document, called the “J5 NFT Marketplace Red Flag Indicators,” is the first of its kind from the J5. It lists items that should draw concern when one is dealing with NFTs or planning to purchase one. The document is not meant to be an all-inclusive list of risks associated with NFTs, but rather a list of best practices from the five countries in the J5 from their dealings with NFTs in various investigations. For more information, click here.

State Activities:

  • On May 6, Georgia Attorney General Chris Carr joined a coalition of 20 attorneys general in opposing the Disinformation Governance Board in a letter sent to Department of Homeland Security Secretary Alejandro Mayorkas. According to a press release, the “attorneys general argue that this government watchdog agency would abridge a citizen’s right to express their opinions and disagree with the government, furthering self-censorship rather than protecting freedom of speech,” and the “board’s creation is also an example of federal overreach.” For more information, click here.
  • On May 4, New York Attorney General Letitia James led a multistate coalition of eight attorneys general, calling on President Joe Biden to fully cancel federal student debt owed by every federal student loan borrower in the country. “While I commend President Biden for giving serious consideration to forgiving $10,000 per borrower, we must take bolder, more decisive action to end this crisis and provide Americans with the tools they need to thrive,” said Attorney General James. “Student debt keeps millions of struggling borrowers from reaching financial stability and leads to a cycle of financial burdens that follow them throughout their lives.” According to the corresponding press release, student borrowers currently owe more than $1.7 trillion to the federal government. For more information, click here.
  • On May 4, Virginia Attorney General Jason Miyares announced that approximately $3.5 million has been secured from Intuit, Inc. (Intuit), the owner of TurboTax, for deceiving Virginia consumers into paying for tax services advertised as “free.” In addition to suspending a “free, free, free” ad campaign, Intuit will pay a total of $141 million in restitution as a result of a multistate agreement. “TurboTax took advantage of and deceived Virginians. I’m proud of the role my office played to secure substantial relief for the Virginia consumers that TurboTax misled,” said Attorney General Miyares. For more information, click here.
  • On May 4, California Governor Gavin Newsom signed an executive order, under California’s 2020 Consumer Financial Protection law, that begins the process of creating a regulatory approach to spur responsible innovation, while protecting California consumers; assess how to deploy blockchain technology for state and public institutions; and build research and workforce development pathways. For more information, click here.
  • On May 4, New York Governor Kathy Hochul signed bill S.5924-C/A.6938-B that prohibits colleges from withholding a student’s transcript because of unpaid debts or charging individuals who owe debts a higher fee to obtain their transcript. For more information, click here.

Privacy and Cybersecurity Activities:

  • On May 3, Vice reported that the Center for Disease Control (CDC) tracked millions of Americans to see if they followed COVID-19 lockdown orders. Specifically, the CDC harvested location data to track patterns of people visiting K-12 schools and to track the effectiveness of policy in the Navajo Nation. Vice reports that “although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more general CDC purposes.” Vice obtained the documents through a Freedom of Information Act (FOIA) request. To read more, click here.
  • On May 5, the National Institute for Standards and Technology (NIST) released an update to its Cybersecurity Guidelines for Supply Chain Risk Management. The update provides guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. Aimed at acquirers and end users of products, software, and services, the guidance intends to help organizations “build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks.” To read the updated guidance, click here.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On April 8, Acting Comptroller of the Currency Michael Hsu discussed the architecture of a U.S. dollar-based stablecoin system and policy considerations regarding stablecoin stability, interoperability, and separability. For more information, click here.

  • On April 7, the Consumer Financial Protection Bureau (CFPB) announced that it is using its rulemaking authority to propose that consumer reporting agencies (CRAs) do not prevent human trafficking survivors from achieving financial independence. The proposed rule would protect human trafficking survivors by preventing CRAs from including negative information resulting from abuse. Congress required the CFPB to issue rules as part of the recently enacted Debt Bondage Repair Act. For more information, click here.

  • On April 7, Secretary of the Treasury Janet Yellen addressed the Biden administration’s forthcoming legislative approach to digital assets, as we discussed here, as well as the digitization of the American economy, which Yellen assessed through the lens of five lessons she suggests are often implicated by emerging technologies generally: (1) responsible innovation; (2) appropriate guardrails; (3) monetary sovereignty; (4) technological neutrality; and (5) interagency and international collaboration. For more information, click here.

  • On April 6, the U.S. Department of Education announced an extension of its pause on student loan repayment, interest, and collections through August 31, 2022. For more information, click here.

  • On April 6, the CFPB published a report, showing that few payday loan borrowers benefit from no-cost extended payment plans, which must be offered to borrowers in the majority of states that do not prohibit payday lending. Instead of using the payment plans, borrowers continue to pay for costly loan rollovers. While no-cost extended payment plans are meant to help borrowers exit the cycle of rollovers and fees, the payday business model continues to depend on high rollover rates and fees. For more information, click here.

  • On April 6, the Federal Housing Finance Agency announced that Fannie Mae and Freddie Mac will require servicers to suspend foreclosure activities for up to 60 days if the servicer has been notified that a borrower has applied for assistance from the Treasury Department’s Homeowner Assistance Fund. For more information, click here.

  • On April 6, Senator Pat Toomey (R-PA) released a draft of the Stablecoin Transparency of Reserves and Uniformed Safe Transactions Act, also called the Stablecoin TRUST Act of 2022. The bill includes a definition of “payment stablecoin,” which must be convertible directly to fiat currency and its backing must be with assets “with a market value equal to not less than 100 percent of the par value of the payment stablecoins outstanding” and “that are cash and cash equivalents or level 1 high-quality liquid assets denominated in United States dollars.” For more information, click here.

  • On April 5, the Federal Reserve Board announced that it had prohibited six former bank employees from future employment in the banking industry for fraudulently obtaining loans and grants administered under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. For more information, click here.

State Activities:

  • On April 7, the New York Department of Financial Services issued guidance “to address potential confusion” about how to comply with a new statute of limitations requirement that went into effect last week. The new requirement would lower the statute of limitations period to three years, while also disallowing a partial payment to restart the statute of limitations and requiring additional disclosures to be made. For more information, click here.

  • On April 6, New York Attorney General Letitia James announced a lawsuit against a law firm and its partners for “engaging in deceptive rent collection practices and initiating frivolous lawsuits against New York tenants.” The lawsuit was filed after the attorney general’s office investigated the firm and found it “did not conduct any meaningful reviews of their non-payment eviction cases before filing litigation, resulting in the distribution of deceptive rent collection letters, unnecessary legal actions against tenants, and improper evictions without cause.” Attorney General James’ office claims the conduct “violates New York Executive Law, the Federal Debt Collection Practices Act, and the New York General Business Law.” For more information, click here.

  • On April 6, California Attorney General Rob Bonta, as part of a multistate coalition of 17 attorneys general, urged the nation’s largest banks to eliminate overdraft fees. According to the press release, “U.S. consumers paid an estimated $11 billion in overdraft fees in 2019, with the financial burden disproportionately falling on low-income consumers and consumers of color.” In support of the request, Attorney General Bonta stated, “For banks, overdraft fees are easy way to pad their profits, but for struggling consumers, these fees can seriously derail their financial plans.” For more information, click here.

  • On March 24, Utah’s governor signed the Commercial Financing Registration and Disclosure Act (CFRDA) into law. Under the CFRDA, beginning January 1, 2023, commercial financing providers must register with the Utah Department of Financial Institutions and provide certain disclosures. These disclosures include the amount of funds provided to the business, the total amount to be paid to the provider, and information about the costs or discounts associated with the prepayment. For more information, click here.

Privacy and Cybersecurity Activities:

  • On April 6, the Department of Human Health and Services (HHS) issued a request for information, seeking input on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITEACH Act), as amended in 2021. Specifically, HHS seeks comment on Section 13412 and Section 13410(c)(3). Section 13412 requires the HHS to consider certain recognized security practices of covered entities and business associates when determining potential fines, audit remedies, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Section 13410(c)(3) requires the HHS to establish a methodology to determine potential civil monetary penalties and settlement sharing for individuals harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules. For more information, click here.

  • On April 7, California Attorney General Rob Bonta announced a new partnership with the Federal Communications Commission (FCC) on robocall investigations to protect consumers and businesses from scams and financial loss. This partnership establishes critical information sharing and cooperation structures to investigate spoofing and robocalls scam campaigns. For more information, click here.

On March 24, Utah’s governor signed the Commercial Financing Registration and Disclosure Act (CFRDA) into law. Under the CFRDA, beginning January 1, 2023, commercial financing providers must register with the Utah Department of Financial Institutions (Department) and provide certain disclosures.

Utah’s registration requirement is the first applicable to providers of accounts receivable purchase transactions (commonly known as merchant cash advances, or MCAs), as Virginia’s governor has not yet signed HB1027, which also has registration and disclosure requirements.

Utah is also the third state to create commercial financing disclosure requirements applicable to accounts receivable purchase transactions, after New York and California. The New York and California requirements have not yet taken effect due to regulatory delays, but unlike New York and California, Utah does not require an APR or similar rate disclosure.

Who Will Be Required to Register?

The CFRDA requires a “provider” of commercial financing transactions to register annually with the Department and pay a fee, unless an exemption applies.

A “commercial financing transaction” includes a commercial loan, a commercial open-end credit plan, and an accounts receivable purchase transaction.

A “provider” is a person who offers more than five commercial financing transactions in Utah in any calendar year. A provider also includes a person who, under an agreement with a depository institution, offers one or more commercial financing products provided by the depository institution via an online platform that the person administers.

However, there are several exemptions from the CFRDA for certain entities and types of transactions, including for:

  • Depository institutions and certain regulated subsidiaries and service corporations;
  • Money transmitters licensed under Utah law;
  • Commercial mortgages;
  • Leases;
  • Purchase money obligations;
  • Commercial loans and open-end credit plans of $50,000 or more to motor vehicle dealers or rental companies;
  • Commercial financing transactions offered in connection with the sale of a product that the person manufactures, licenses, or distributes; and
  • Commercial financing transactions of more than $1,000,000.

As a result, although depository institutions and some regulated subsidiaries are exempt from the CFRDA, some bank partners who administer an online platform under an agreement with a depository institution may be required to register if they “offer” one or more products provided by the depository institution. The term “offer” is not defined.

Registration will require registering with the Nationwide Multistate Licensing System and Registry (NMLS), providing certain information about the provider, and disclosing information about certain control persons relating to specified criminal convictions. However, the Department may issue a rule requiring additional information.

What Are the Disclosure Requirements?

The CFRDA requires a provider to give certain disclosures before consummating a commercial financing transaction. Unlike California and New York, Utah will not require an APR or similar rate disclosure.

For all commercial financing transactions, the CFRDA requires the following disclosures:

  1. The amount of funds provided to the business under the terms of the commercial financing transaction, and the amount disbursed to the business, if less than the amount of funds provided;
  2. The total amount to be paid to the provider;
  3. The total dollar cost of the commercial financing transaction, which is the difference between the amount provided to the business and the amount to be paid to the provider;
  4. The manner, frequency, and amount of each payment, or an estimated amount of an initial payment if the payments vary;
  5. Information about costs or discounts associated with prepayment; and
  6. Any amounts provided to the business under the agreement that will be paid by the provider to a broker.

The agreement also must include a description of the method of calculating any variable payments and the circumstances under which payments may vary.

For commercial open-end credit plans the disclosures also must be provided after any disbursement of funds. Those disclosure requirements apply to a commercial financing transaction consummated after January 1, 2023. The Department may also require additional disclosures.