Last Week, This Morning

January 13, 2025

Happy New Year!

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

CFPB Releases Final Rule Prohibiting Reporting of Medical Debts in Consumer Reports

On January 7, the Consumer Financial Protection Bureau released the final version of its rule prohibiting the inclusion of medical debt information in consumer reports. The CFPB cites its own research that, as the CFPB claims, suggests that a consumer's medical debt history has little predictive value with respect to the consumer's overall credit risk. It also cites concerns that the inclusion of inaccurate medical debt information in consumer reports may coerce consumers into paying debts that they do not owe. The new rule will become effective on March 17, 2025, the first business day that is at least 60 days after the rule's expected publication in the Federal Register on January 14, 2025.

The final rule amends two sections of Regulation V and adds a new section. The rule adds a definition of "medical debt information" to 12 C.F.R. § 1022.3 (note that the term "medical information" already has its own definition separate from this one). Medical debt information means medical information that pertains to a debt owed by a consumer to a person whose primary business is providing medical services, products, or devices, or to such person's agent or assignee, for the provision of such medical services, products, or devices. Medical debt information includes but is not limited to medical bills that are not past due or that have been paid.

The final rule also removes exceptions to the prohibition against obtaining or using medical information as part of a determination of a consumer's eligibility or continued eligibility for a credit product (See 12 C.F.R. § 1022.30). With these exceptions removed, a creditor may consider medical information only if the information is unsolicited or meets one of the specific carveouts - for example, to determine whether a consumer qualifies for a credit program designed to meet the needs of consumers with a specific medical condition.

The new section of Reg. V, 12 C.F.R. § 1022.38, restricts consumer reporting agencies from including medical debt information in consumer reports. A consumer reporting agency may include medical debt information in a consumer report only if it has reason to believe that the user of the report will use the information in a way that is not prohibited under § 1022.30 and will not violate any other law, specifically including state laws, by obtaining or using the information.

Amicus brief(ly): This CFPB action has potentially serious consequences for consumers and industry alike and has already been challenged in court by trade groups, including the CDIA. The arguments appear to focus on whether a consumer's payment of medical debt has any predictive value vis-à-vis her or his other debts. The CFPB claims that it has limited predictive value based on its own research from 2014, which industry claims is dated, limited, and less reliable than more recent studies showing that payment of medical debts is actually predictive of performance on other debts. Trade groups also argue in their lawsuits that the CFPB exceeded its authority by writing a rule limiting the furnishing of data that Congress specifically authorized furnishers to provide under the Fair Credit Reporting Act. The Texas courts where these lawsuits are pending have not yet issued an injunction preventing the rule from taking effect in March as scheduled, but that is what the plaintiffs are looking for in the short term. Stay tuned - this is a developing story.

State Regulators Impose $20 Million Penalty on Nonbank Mortgage Company and Three Affiliates for Deficient Cybersecurity Practices

On January 8, fifty-three state regulators reached a joint Settlement Agreement and Consent Order with a nonbank mortgage company and three of its affiliates (collectively, "respondents") that were each licensed as a mortgage broker, lender, and/or servicer in states participating in the settlement. The settlement resolves operational concerns regarding the respondents' information technology and cybersecurity practices that were uncovered by the state regulators during a supervisory examination following a data breach of the respondents' network. The settlement also resolves examination findings that the respondents delayed the supervisory process by failing to comply with the state regulators' requests in a timely and complete manner in the early stages of the examination.

According to the settlement, in October 2021, the respondents experienced a cybersecurity incident when an employee, in the course of performing job-related duties, unknowingly downloaded malicious software during an internet search. Soon after, a criminal actor was able to obtain personally identifiable information from the respondents' network. The respondents, upon discovery of the cybersecurity incident, investigated the incident and notified approximately 5.8 million consumers that their personal information may have been compromised. The respondents offered support services and the ability to receive free consumer credit and identity theft monitoring to affected consumers. In addition, the respondents notified state and federal regulators and other affected parties of the cybersecurity incident. Some state regulators, however, contended that they were not provided timely notification of the cybersecurity incident.

State regulators in California, Maryland, North Carolina, and Washington State commenced an examination of the respondents in order to assess the effectiveness of their information technology and cybersecurity program. The examination revealed compliance violations of state and federal law related to the respondents' information technology and cybersecurity program. The state regulators also found that the respondents did not initially fully comply with examination requests related to certain information, including information the respondents claimed was privileged.

Under the settlement, the respondents are required to pay a $20 million penalty and take specified corrective actions, improve their cybersecurity program, undergo independent assessments, and provide three years of additional reporting to the states. The respondents neither admit nor deny any wrongdoing.

Amicus brief(ly): The serious financial penalty in this settlement underscores the gravity of a cybersecurity event where a provider loses consumers' confidential information. The amount of the penalty may also be informed by the claim made by the state attorneys general that the providers in this case did not cooperate with investigators in the early part of their examination work or the fact that the event went undetected for over a month and affected nearly 6 million customers. The settlement also imposes requirements around the maintenance of a corporate governance framework that is worth reviewing for any compliance professional charged with managing system and data security, though the requirements are relatively standard for a financial services provider with confidential consumer information in its system.

CFPB Issues Policy Statements on No-Action Letters and Regulatory Sandbox Approvals

On January 8, the Consumer Financial Protection Bureau issued policy statements that detail updated procedures for companies that apply for special regulatory treatment through No-Action Letters ("NALs") and Compliance Assistance Sandbox Approvals ("Sandbox Approvals").

According to the policy statements, the CFPB is accepting applications for NALs and Sandbox Approvals, subject to certain conditions. The conditions "are first designed to ensure that [NALs and Sandbox Approvals] promote innovations that solve unmet needs in markets for consumer financial products and services. Minor adjustments to existing products, or products that are designed to take advantage of gaps in laws rather than bringing new offerings to market, do not confer significant enough benefit on consumers to warrant the expenditure of government resources necessary to issue and monitor a [NAL or Sandbox Approval]."

The conditions also "ensure that [NALs and Sandbox Approvals] do not compromise the competitive process. Innovation is maximized by competitive, open markets and robust rivalry among firms. ... [T]he CFPB will affirmatively reach out to program applicants' competitors and invite them to apply for the same [NAL or Sandbox] topic. The CFPB will not approve a [NAL or Sandbox program] on a topic for a single firm, to avoid granting a first-mover advantage in the market. The [c]onditions also prevent firms from advertising the receipt of a [NAL or Sandbox program approval], which can create the false appearance of endorsement or favored regulatory status and can distort competition."

Finally, the "CFPB will post applications for [NALs and Sandbox Approvals] to an open docket on the regulations.gov website and will accept comment for 60 days. To avoid ethical conflicts, the CFPB will not consider applications from former CFPB attorneys representing firms as outside counsel. The CFPB is concerned that former CFPB employees will use their relationships to obtain special treatment for specific firms in procuring [NALs and Sandbox Approvals], or that there is a risk of the appearance of special treatment by the public or specific firms seeking outside counsel. Because applicants' integrity is also critical for the programs' success, [NALs and Sandbox Approvals] will not be granted to firms that have been prosecuted for prior violations of federal consumer financial law in the last five years. And to prevent bait-and-switch negotiation tactics experience under the prior [NAL and Sandbox] policy, where firms negotiated terms of [NALs and Sandbox Approvals] with the CFPB and thereafter materially change the underlying products or services, [NALs and Sandbox Approvals] will automatically be rescinded when recipients change their product or service so that it no longer fits the description provided in the application and described in the [NAL or Sandbox Approval], unless the ... recipient applies for and receives an amended [NAL or Sandbox Approval]."

Amicus brief(ly): The CFPB has maintained quite a pace of work in the last couple of months with an eye toward a change in administration that could potentially see the rescission of policy statements like these. These new policy statements focus on competition and transparency, the relative lack of which the CFPB cited in its rescission of existing similar policies in 2022. The process to apply for a no-action letter under this guidance is burdensome, so it is not clear (if the initiative survives the change in administration) whether innovators will consider it worthwhile pursuing no-action letters. The CFPB is hoping primarily to encourage new consumer-beneficial products and services with the re-issuance of and updates to these policies. Prior iterations of federal and state regulatory sandboxes have shown that they can be beneficial for providers of new technology whose products do not fit neatly into an existing regulatory regime because they allow an open discourse between the provider and regulators about whether and how the new product should be regulated.
Massachusetts Attorney General Launches Usury Notice Filing Portal

Lenders who submit Usury Notice Filings to the Office of the Massachusetts Attorney General should consult with counsel regarding a new portal for filing notices that raises questions regarding the required timing and content of filings. The Massachusetts criminal usury statute prohibits knowingly contracting for, charging, taking or receiving (either directly or indirectly) interest and expenses that exceed an amount greater than 20% per annum. See 271 M.G.L.A. § 49(a). Absent an exception, this limit applies to both consumer and business/commercial purpose transactions.

A notable exemption applies to a person who provides notice to the attorney general of that person's intent to enter into a "transaction or transactions" that, but for the notice, would violate the 20% per annum rate limit. See 271 M.G.L.A. § 49 (d). Parties that provide such notice before a loan is disbursed to the borrower(s) and maintain certain records specified by the statute can immunize such "transaction or transactions" from potential usury claims.

The criminal usury statute is frustratingly thin on details regarding the proper form and method for filing this notice. However, in mid-November, the attorney general launched, with no apparent public notice, an online portal to submit notices. This is a notable development as it provides, for the first time, an online method to submit these notices. The portal will also provide confirmation of receipt for successful filings.

However, the materials surrounding the launch of this portal raise more questions than answers, including:

  • The online portal website appears to suggest that the attorney general expects a notice to be filed before each otherwise usurious transaction. For example, the information discussing the portal states that "[e]ach submission shall contain a copy of the notice from a single loan filing" and instructs parties not to "batch notices from multiple loan transactions into a single filing."
  • The portal seeks to collect borrower- and transaction-specific details. Some of these elements appear to be required (such as the date of the note), while others are not and are referred to in the portal instructions as "preferred but not required." Much of this content is listed in the statute as informational elements that must be maintained by the party providing notice and provided to the attorney general upon her request, rather than information that must be provided with the filing. See 271 M.G.L.A. § 49(d). (Moreover, the information discussing the portal launch states that the information filed will be a public record and subject to public information requests, despite the fact that the statute prohibits lenders from publicly advertising such a filing - although lenders are required to provide information regarding a filing to an individual upon his/her request.)
  • The portal highlights certain fields for a party providing notice with a red asterisk, which usually connotes that the field in question must be populated. However, the portal does not specify this in its instructions, so it is ultimately unclear what information must be provided.

It is also unclear how the Office of the Attorney General will use information submitted through the portal. Hopefully, there will be much more to come regarding this portal and how the attorney general expects it to be utilized. For now, it raises a number of questions with no clear answers.

Amicus brief(ly): Whether the creation of this portal and its corresponding vague and uncertain instructions is an advancement for the state or providers is arguable at best - it does not seem to be. For lenders hoping to make loans at interest rates that exceed Massachusetts' 20% usury limit for one or more transactions, the creation of the online portal gives such lenders a convenient way to submit usury notice filings, but no additional information about the right form and presentation of transaction information to satisfy the attorney general's requirements. This update may reflect a "baby steps" approach to rollout, with some more "baby steps" in the form of information and guidance to come. Or so we can hope.
California Department of Financial Protection and Innovation Announces Commercial Financing Reporting Requirements

The California Department of Financial Protection and Innovation recently released information on its mandatory APR reporting for commercial financing providers. The report covering an entity's commercial financing transactions in 2024 is due on March 15, 2025. Providers of commercial financing that enter into more than one commercial financing transaction to a covered entity (a small business, nonprofit, or family farm) in a 12-month period must file an annual report with the DFPI.

The annual report must include: (1) the provider's identifying and contact information, including name, fictitious business names, entity type, mailing address, phone number, email address, website address, and designated contact person; (2) the number of commercial financing transactions that the provider made that year by type (e.g., accounts receivable purchase transaction); and (3) for each type of transaction, the provider must report the number of transactions grouped by the following categories of amount financed:

  • $10,000 or less;
  • over $10,000 but not over $25,000;
  • over $25,000 but not over $50,000;
  • over $50,000 but not over $100,000;
  • over $100,000 but not over $250,000;
  • over $250,000 but not over $500,000; and
  • for each category of amount financed, the minimum, maximum, average (arithmetic mean), and median annual percentage rate.

Any provider licensed under the California Financing Law must report its activities under the CFL separately, not as part of the report on commercial financing transactions. The regulations define "small business" as a for-profit entity with annual gross receipts of no more than $16 million, a dollar threshold subject to biennial adjustment. The regulations do not apply to transactions with amounts financed greater than $500,000.

Amicus brief(ly): The DFPI issued a regulation requiring this reporting separate from the more routine (though cumbersome) annual reporting requirements for lenders licensed under the California Financing Law in the Fall of 2023, so licensees should have this small business transaction and pricing data organized and ready to go. Six years after enactment of the first-ever U.S. state law requiring pricing disclosures for small business finance transactions, the reports will give the DFPI a clearer view of the types of transactions that are taking place in that marketplace in California. The DFPI has not given a clear indication of what it will use the data for, but providers have until mid-March to submit their reports.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.