Last Week, This Morning

November 18, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)[1]" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

CFPB Report Analyzes Whether State Privacy Laws Provide Adequate Protection of Consumers' Financial Data

On November 12, the Consumer Financial Protection Bureau released a report summarizing federal and state privacy laws that provide protections for consumers' financial data. The CFPB found that federal consumer data privacy laws such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act provide protections but that all of the relatively new state consumer data privacy laws (citing 18 states that have passed such laws between January 2018 and July 2024) provide exemptions for financial institutions and/or financial data subject to the GLBA and exemptions for activity to which the FCRA applies. Therefore, according to the CFPB, these state consumer data privacy laws do not provide consumers with adequate protections over their financial data, and states should "consider whether removing or narrowing these exemptions is appropriate to ensure that consumer financial data is protected." The report emphasizes that additional state-level protections are necessary in light of consumer financial services companies' increasingly "building business models premised on the monetization of consumer [financial] data," including by selling that data to third parties.

Amicus brief(ly): Hmmm (scratching our heads) .... The CFPB recently finalized its Open Banking Rule (also referred to as the "1033 Rule") that gives consumers considerable control over their financial data. And the GLBA has been around for decades, while the Safeguards Rule under the FCRA has also protected consumer data for a number of years. Collectively, these federal laws provide a strong consumer protection framework that now, with the Open Banking Rule, really empower consumers to manage what happens with their financial data. It seems odd for the CFPB to take issue in this report with states exempting certain financial institutions and data from their privacy laws when the federal laws apply, suggesting that because Congress left the door open for states to enact laws that are more protective of consumers than federal law, the states should do exactly that. But in this and other contexts where the states have that express authority, the states have reviewed federal law and are content with its protections. Maybe the CFPB is not happy with its work on the Open Banking Rule. Whatever the reason for issuing this report, we commend it to you for the state law review but not much more.
Texas Revises Motor Vehicle Installment Sales Rules

The Finance Commission of Texas amended its motor vehicle installment sales rules in 7 TAC Chapter 84, generally effective November 14. The changes include:

  • Amendments to Section 84.602 replace the "responsible person" requirement in connection with the filing of a new motor vehicle sales finance license application with a requirement to list a "compliance officer," who must be an individual responsible for overseeing compliance regarding the Office of the Consumer Credit Commissioner and authorized to receive and respond to communications from the OCCC.
  • Amendments to Section 84.608 specify that if the eligibility requirements for a license have not been met, the OCCC will send a notice of intent to deny the license application, and an affected applicant has 30 days from the date of the notice to request a hearing.
  • Amendments to Section 84.611 and new Section 84.710 relate to annual reports filed by licensees and specify a June 30 deadline for filing the report.
  • Amendments to Section 84.613 relate to the OCCC's review of the criminal history of a motor vehicle applicant or licensee to ensure consistency with 2019 House Bill 1342, which changed the factors to be considered in determining whether an offense relates to the duties and responsibilities of the licensed occupation.
  • Amendments to Section 84.616 clarify that the license display requirement does not apply to a location or office that is not open to the general public, such as a servicing or collection office that operates exclusively online or by phone.
  • An amendment to Section 84.617(e) specifies that the late filing fee for a registered office is $250.
  • Amendments to Section 84.707 update recordkeeping requirements for retail sellers that assign motor vehicle retail installment contracts to specify that licensees that maintain transaction records electronically must be able to sort or filter the retail installment transaction report by date of the contract or sale, the retail buyer's name, the status of the transaction (open or closed), whether the transaction has been assigned, and the name of any assignee. Additional amendments to Section 84.707 relate to data security recordkeeping and specify that licensees must maintain written policies and procedures for an information security program to protect retail buyers' customer information, as required by the Federal Trade Commission's Safeguards Rule, 16 C.F.R. part 314, that if a licensee maintains customer information concerning 5,000 or more consumers, then the licensee must maintain a written incident response plan and written risk assessments, as required by 16 C.F.R. § 314.4, and that licensees must maintain data breach notifications to consumers and to the Office of the Attorney General under Section 521.053 of the Texas Business & Commerce Code.
  • Amendments to Section 84.708 update recordkeeping requirements for retail sellers that collect payments on motor vehicle retail installment contracts to specify requirements for sorting or filtering the retail installment sales transaction report and the alphabetical records search, specify requirements to maintain policies and procedures for an information security program, and specify requirements to maintain data breach notifications. Amendments to Section 84.709 make the same changes with regard to holders that take assignment of motor vehicle retail installment contracts.
  • Amendments to Section 84.802 clarify the requirements for submitting non-standard plain language contracts by specifying that such contracts "must be consistent with Texas law and federal law" and by specifying the grounds for disapproving such contracts under Section 341.502(c) of the Texas Finance Code.
  • Amendments to Section 84.806 update the list of typefaces that are considered easily readable for plain language contracts.
  • Amendments to Section 84.808, effective January 1, 2025, revise provisions to refer to inspection program replacement fees and emissions inspection fees in place of government inspection fees. Amendments to Section 84.809 make similar changes.
Amicus brief(ly): Texas sales finance company licensees and dealers ought to download this rule from the Finance Commission of Texas and update their systems and processes to track these updated administrative requirements. The updates in the rule do not all require immediate action, but the recordkeeping requirements are detailed and important, and so is the update to the model contract provisions that names Arial, Calibri, Georgia, Helvetica, Times New Roman, and Verdana as "easily readable typeface." Most of the changes were effective last week, notwithstanding the publication date of November 8 for this rule, so time is of the essence.
California Privacy Protection Agency Investigates Data Broker Compliance with Delete Act

The California Privacy Protection Agency's Enforcement Division recently announced that it is conducting an investigative sweep of data broker registration compliance under the California Delete Act, which was enacted in October 2023. Under the Delete Act, covered data broker businesses must register with the CPPA and pay an annual fee. The penalty for failing to register by the January 31 deadline each year is $200 per day. In addition to the annual registration requirement, the Delete Act requires data brokers to: (1) disclose the number of consumer deletion requests they receive and the average response time to the requests; (2) report if they collect the personal information of minors, reproductive healthcare data, and precise geolocation data; and (3) provide a link on their website informing consumers of their rights under the California Consumer Privacy Act. Starting in 2026, consumers will be able to use a new deletion mechanism, which will allow them to direct all data brokers registered in California to delete their personal information in a single request.

Amicus brief(ly): If you missed the announcement of the final Open Banking Rule a couple of weeks ago, this California investigation will remind you that government agencies continue to focus on giving consumers control over their financial data. This investigative sweep focuses on data broker registration requirements, but underlying those requirements is the four-year-old CCPA that preceded the Open Banking Rule in empowering California consumers to have more control over their financial data. If other states are not satisfied with the tools consumers have under the Open Banking Rule, we can expect them to emulate California, Virginia, Colorado, and others and enact comprehensive data privacy laws that further empower consumers to decide whether and how companies harvest and share their data. It remains to be seen whether the states will heed the CFPB's admonition to expand the scope of their data privacy laws (as referenced above).

CFPB and DOJ Study Finds Differential Treatment in Small Business Lending Market

On November 13, the Consumer Financial Protection Bureau released a report - Matched-Pair Testing in Small Business Lending Markets - that presents the results of a research study conducted by the Bureau and the Department of Justice on whether Black and White individuals posing as small business owners seeking loans from certain banks would experience differential treatment. In the study, test participants visited 25 bank branches located in Fairfax County, Virginia, and 25 bank branches located in Nassau County, New York - consisting of 100 total visits across 23 financial institutions - and sought financing for their fictitious small businesses. Each visit was audio recorded, and test participants completed post-visit surveys documenting their experiences. The study examined four key aspects of the loan inquiry process: encouragement or discouragement to apply for a loan; information provided about requested loan products and potential steering to other products; the overall quality of treatment or customer service; and the amount of business and credit information requested.

The CFPB's summary of the results states: "Our aggregate-level analyses reveal that Black testers received less favorable treatment than paired white testers in two of the four treatment domains we considered. First, Black testers received less favorable treatment on measures of encouragement/discouragement to apply for financing than white testers. Second, in the domain of small business loan products discussed and potential steering, bank representatives were more likely to discuss non-requested credit products - such as business credit cards or real estate-secured loans - with Black testers than with white testers. These differences in treatment are statistically significant. Given the design and scope of this pilot research, these findings should not be generalized to the broader small business lending market or to specific financial institutions. These findings do, however, highlight the existence of differential treatment in small business lending. This research reveals evidence of - and provides a framework for detecting - differential treatment of well-qualified Black and white small business owners seeking credit at large bank lenders in select counties."

Amicus brief(ly): We love a good statistics paper, and the mystery shopper model was a nice touch. The CFPB's report outlines some potentially troubling findings in its research, identifying that non-White applicants for business credit did not receive the same treatment as White applicants in at least some interactions at the bank branches. But the results are qualified; for some of the areas studied, the results were based on the applicants' subjective feelings about their interactions at the bank branches. So, the report is a statistics paper and worth a read, but the data inputs are not objective data, like interest rates, discount amounts, or other measurable data points. While the CFPB cautions readers not to generalize the findings, after a careful read you would not be tempted to do that. But readers may be reminded of a news story from about a year and a half ago where a Black couple had their house appraised for a refinance and then re-appraised by a different appraiser, with their White friend showing the house, at a value about 50% higher than the original appraisal. Outcomes like that, and the observations made in this CFPB study, underscore the importance and value of fair lending awareness.
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.