Last Week, This Morning

June 23, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Louisiana Establishes Disclosure Requirements for Revenue-Based Financing Transactions and Clarifies that Amounts Charged in Such Transactions Are Not "Interest"

Louisiana Governor Jeff Landry recently signed House Bill 470, which specifies that amounts charged in revenue-based financing transactions are not interest. The new law also establishes disclosure requirements for revenue-based financing transactions.

The law defines "revenue-based financing transaction" as "an agreement under which a person engaged in a commercial enterprise sells or agrees to forward a percentage of sales, revenue, or income, and the person's payment obligation increases and decreases according to the volume of sales made or revenue or income received." The law states that a revenue-based financing transaction "is not a transaction for the use, forbearance, or detention of money" and "[a]mounts charged in a revenue-based financing transaction, whether in the nature of a fee, discount, or otherwise, are not interest."

Effective August 1, 2025, a provider of revenue-based financing must give the following disclosures with each transaction:

  • the total amount of funds provided to the commercial enterprise under the terms of the agreement;
  • the total amount of funds disbursed to the commercial enterprise if less than the amount specified in the bullet point above as a result of any fees deducted or withheld at disbursement, any amount paid to the provider to satisfy a prior balance, and any amount paid to a third party on behalf of the commercial enterprise;
  • the total amount to be paid to the provider under the terms of the agreement;
  • the total dollar cost under the terms of the agreement, calculated by finding the difference between the amount specified in the first bullet point and the amount specified in the third bullet point;
  • the manner, frequency, and amount of each payment, or if the amount of the payments varies, the manner and frequency of the payments, the estimated amount of the initial payment, a description of the methodology for calculating any variable payment, and the circumstances under which payments may vary; and
  • whether there are any costs or discounts associated with prepayment, including a reference to the provision in the transaction that creates the contractual rights of the parties related to prepayment.

The required disclosures do not include an annual percentage rate. The new law does not specify exemptions and does not expressly provide penalties for noncompliance.

Amicus Brief(ly): Providers do not have a long lead time to get disclosures ready for use in Louisiana, but this new law fortunately and importantly does not include a requirement to disclose an estimated APR. The law is not a comprehensive regulatory scheme for revenue-based financing, so providers really only have to focus on the required disclosures. The state's helpful clarification that these transactions are not loans, and that the amounts providers realize on the transactions are not interest, will help providers avoid costly litigation on those issues in connection with a finance product specifically designed not to be a loan.

FTC Releases FAQs on How Safeguards Rule Applies to Vehicle Dealers

On June 16, the Federal Trade Commission released Frequently Asked Questions discussing the requirements of the Safeguards Rule and how the rule specifically applies to motor vehicle dealers. The FAQs are meant to supplement related compliance materials available on the FTC's website, including FTC Safeguards Rule: What Your Business Needs to Know and FTC's Privacy Rule and Auto Dealers: FAQs.

The FTC's Safeguards Rule, which implements the Gramm-Leach-Bliley Act, requires covered non-bank financial institutions, including motor vehicle dealers, to develop, implement, and maintain a comprehensive written information security program to protect their customers' nonpublic personal information. The FTC amended the Safeguards Rule in 2021 to provide more specific guidelines for financial institutions and to ensure that the rule keeps pace with current technology and amended the rule again in 2023 to require financial institutions to report to the FTC certain data breaches and other security incidents involving their customer information.

Amicus Brief(ly): The FTC has a good history of providing guidance to industry to comply with its rules. These FAQs are a timely and useful resource for dealers about how to protect critically important and sensitive non-public consumer data. The Safeguards Rule is not new - it is over 20 years old. But in light of the regulatory focus (both federal and state) over the last couple of years on the sale and use of consumer data, it is helpful when a regulator like the FTC issues a set of guidelines for businesses to follow. Whether industry agrees with the regulators' guidance or not, it is always useful to know how the regulators are thinking about regulatory compliance issues. Although these FAQs are in some ways specific to vehicle dealers' business models, they are worth a quick pass for any provider that holds non-public consumer data.

CFPB Extends Compliance Dates for Small Business Lending Rule

On June 18, in light of court orders in ongoing litigation, the Consumer Financial Protection Bureau issued an interim final rule that extends by approximately one year the compliance dates set forth in its Small Business Lending Rule. The interim final rule is effective on July 18, 2025, and the CFPB is seeking comment on the interim final rule up until that date.

The Small Business Lending Rule, which implements Section 1071 of the Dodd-Frank Act, requires covered financial institutions to collect data on certain credit applications from small businesses and report that data to the CFPB. The interim final rule states that "[c]hallenges to the rule filed by some lenders remain ongoing in three jurisdictions; each of those courts ha[s] stayed the rule's compliance deadlines for some market participants. Specifically, the United States Court of Appeals for the Fifth Circuit has stayed the rule and tolled the compliance deadlines for plaintiffs and intervenors in that case, until further order of the court. The United States District Court for the Eastern District of Kentucky has stayed the deadlines for plaintiffs to comply with the rule until further order of the court. And the United States District Court for the Southern District of Florida has stayed the rule and tolled the rule's compliance deadlines with respect to plaintiff and its members for the length of time that the Fifth Circuit stay order is in effect, subject to modification at any time by the court. As the CFPB has noted in that litigation, it intends to initiate a new Section 1071 rulemaking and anticipates issuing a notice of proposed rulemaking as expeditiously as reasonably possible."

The interim final rule states that covered financial institutions are permitted to continue using their small business originations from 2022 and 2023 to determine their compliance tier, or they may instead use their originations from 2023 and 2024 or from 2024 and 2025. Covered financial institutions are permitted to begin collecting protected demographic data required under the Small Business Lending Rule 12 months before their new compliance date, in order to test their procedures and systems. The deadline for submitting small business lending data will remain June 1 following the calendar year for which data are collected. Finally, the CFPB is updating its grace period policy statement to reflect the revised compliance dates.

Amicus Brief(ly): The otherwise quiet CFPB takes the important step in this rulemaking to extend the compliance dates for its 1071 rule for companies that are subject to the rule but are not part of the litigation that saw the compliance requirements stayed while the CFPB and numerous litigants work out their issues. The rule has been subject to much commentary and justifiable industry concern that we will not repeat here today, but this step by the CFPB ensures that nobody has to comply with the rule for almost another full year (if ever). If you asked us to bet whether the rule survives the litigation and the new-look CFPB's internal regulation review, we would probably not want to take your bet. Stay tuned on this one.

Maine Requires Disclosure When Using Artificial Intelligence Chatbot to Communicate with Consumers

Maine Governor Janet Mills recently signed House Bill 1154, which provides that a person may not use an artificial intelligence chatbot or any other computer technology to engage in trade and commerce with a consumer in a manner that may mislead or deceive a reasonable consumer into believing that the consumer is engaging with a human being, unless the consumer is notified in a clear and conspicuous manner that the consumer is not engaging with a human being.

The new law defines "artificial intelligence chatbot" as "a software application, web interface or computer program that simulates human conversation and interaction through textual or aural communications." A violation of the disclosure requirement is a violation of the Maine Unfair Trade Practices Act.

Amicus Brief(ly): With this short legislation, Maine joins a growing number of states that require some form of disclosure when a business uses AI to contact customers or potential customers (note that the new law uses the term "consumer" in the caption and in the text but does not define the term). In fact, the number of states that did not at least consider an AI bill during the 2025 legislative session (some of which are ongoing) is fewer than five. There are no "safe harbors" in the Maine statute and no specifically required disclosure statements, so creditors and servicers can develop their own simple disclosure to announce that they are using AI to communicate with a consumer.

Maine and Oregon Prohibit Reporting of Consumer Medical Debt

Maine Governor Janet Mills recently signed Senate Bill 237, which provides that a consumer reporting agency may not report medical debt on a consumer report and a medical creditor, debt collector, or debt buyer may not report a consumer's medical debt to a consumer reporting agency.

The new law defines "medical creditor" as "an entity that provides health care services and to whom a consumer incurs medical debt or an entity that provided health care services to a consumer and to whom the consumer previously owed medical debt if the medical debt has been purchased by one or more debt buyers." "Debt buyer" and "debt collector" have the same meaning as in the Maine Fair Debt Collection Practices Act.

Oregon Governor Tina Kotek signed a similar bill, Senate Bill 605, on June 17 regulating medical debt reporting.

Amicus Brief(ly): On the heels of the CFPB's recent efforts to unwind its short-lived medical debt rule (finalized in January 2025, enjoined through litigation in Texas, and subject to Congressional Review Act measures in both houses of Congress) prohibiting the furnishing of medical debt information, a number of states have taken action to adopt similar state laws. Maine and Oregon joined that list last week. The Maine bill revises a six-year-old law on the furnishing of information about medical debt, changing the former guidelines requiring furnishers to wait until a medical debt was delinquent for at least six months before furnishing information about it to an outright prohibition. As is the case on a great many issues, the states are not all aligned on the relative value of reporting medical debt. For example, Nevada's legislature passed a medical debt reporting bill, but the governor vetoed it. Furnishers, especially debt buyers and debt collectors, should focus on how states define "medical debt." In an effort to protect consumers, some states have started with a definition that does not clearly exclude medical debts incurred on a general-purpose credit card. If a law with a definition that broad were to pass, furnishers would face the almost impossible task of figuring out whether a consumer paid for medical services with a general-purpose credit card and would have to stop furnishing data on credit cards in that state to avoid the risk of impermissibly furnishing medical debt data to a consumer reporting agency. For reference, see the Oregon law's definition that includes debt a consumer owes on a credit card "if the credit card is issued under an open-end or a closed-end credit plan offered specifically for the payment of medical services, products or devices for individuals."
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.