Yesterday, the Consumer Financial Protection Bureau (CFPB or Bureau) issued Circular 2024-04 warning financial institutions about the potential illegality of nondisclosure agreements (NDAs) that could deter whistleblowing. Specifically, the Bureau addressed whether requiring employees to sign broad confidentiality agreements violates § 1057 of the Consumer Financial Protection Act (CFPA). According to the CFPB, the answer is “yes” under circumstances that could lead an employee to reasonably believe that they would be sued or subject to other adverse actions if they disclosed suspected violations of federal consumer financial law to government investigators or a law enforcement agency.

Dear Mary,

Each of the 50 states has its own definition of what constitutes a reportable data breach. For some, it requires “unauthorized access” to personal information. For others, it requires “unauthorized acquisition.” And then, some states have further qualifications to their definition, such as whether that unauthorized access or acquisition “compromises” or “materially compromises” the integrity, security, or confidentiality of the data. No states (apart from New York) define access or acquisition, and no state defines compromise vs. material compromise. How would you suggest analyzing all these varying terms?

– Patchwork

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Jesse Silverman, a seasoned member of Troutman Pepper’s Financial Services team, and Alex Johnson, a fintech industry expert and author of the Fintech Takes newsletter. The episode delves into the evolving landscape of bank-fintech partnerships and banking as a service, exploring the regulatory challenges and existential risks faced by fintech companies. The conversation highlights the need for more robust regulatory frameworks, improved consumer disclosures, and the importance of serious, well-vetted partnerships to ensure the sustainability and innovation of the fintech sector. Tune in to gain insights into the future of fintech and the critical role of regulatory compliance in fostering a secure and innovative financial ecosystem.

The Consumer Financial Protection Bureau (CFPB or Bureau) recently released its semi-annual regulatory agenda, outlining its planned rulemaking initiatives. The CFPB releases regulatory agendas twice a year in voluntary conjunction with a broader initiative led by the Office of Budget and Management to publish a Unified Agenda of Regulatory and Deregulatory actions across the federal government. This agenda includes a mix of rules in the pre-rulemaking, proposed rule, and final rule stages, covering a wide range of topics from mortgage closing costs to financial data transparency. The CFPB has not yet posted a blog or issued a press release about the agenda.

Yesterday, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed interpretive rule opining that earned wage access (EWA) products — whether provided through employer partnerships or marketed directly to borrowers — are subject to Truth in Lending Act (TILA) and Regulation Z requirements. The proposed rule’s broad definitions and aggressive stance on fees and tips as finance charges conflict with many state laws and could lead to litigation.

Yesterday, the Consumer Financial Protection Bureau (CFPB or Bureau) filed a brief in the U.S. District Court for the Northern District of Texas in support of its motion to dissolve the preliminary injunction that has stayed the implementation of its credit card late fee rule. Concurrently, the Bureau also filed a notice of supplemental authority in support of their motion to dismiss or transfer on the grounds that the Fort Worth Chamber of Commerce does not have associational standing to bring the suit. Within hours, the court issued an order requiring further briefing on the issue of associational standing.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Partners Ron Raether and Tim St. George to discuss a landmark victory in a major data breach class action multidistrict litigation. The team delves into the details of the successful defense of an attempt at class certification involving a ransomware attack on software provider Blackbaud. This episode highlights the strategic legal maneuvers, team approach, extensive discovery, and expert practices that led to this important industry win. Don’t miss this in-depth case study and learn how the Troutman Pepper team navigated one of the largest and most complex data breach cases in history.

Dear Mary,

I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?

– Frowning in Fresno

After several attempts in the Missouri legislature, last week Governor Mike Parson signed a Commercial Financing Disclosure Law. This legislation requires certain disclosures to be made by providers of commercial purpose closed-end and open-end loans, and sales-based financing transactions. The law will take effect six months after the Division of Finance finalizes promulgating rules or on February 28, 2025, if the Division does not intend to promulgate rules.