Firm News

Members of Alloy Labs Alliance, a consortium of midsized and community banks, released its “playbook” for “Banking as a Service” (“BaaS”) relationships between depositary institutions and non-bank financial technology firms. Drafted in partnership with leading technology providers, the Alloy Labs Playbook seeks to establish industry standards and a common vocabulary of buzzwords and common terms. The BaaS business model focuses primarily on banking services other than lending and has been around for over a decade. However, the BaaS industry is still evolving rapidly.
Read More

The California Department of Financial Protection and Innovation (“DFPI”) plans to start issuing conditional licenses on January 1, 2023 to debt collectors that have applied under the state’s Debt Collection Licensing Act (“DCLA”). The DFPI also plans to end the regulatory safe harbor allowing debt collectors that have applied for a license to continue to collect consumer debt in California at the same time.
Read More

On October 18, 2022, the New York Department of Financialb Services (the “Department”) announced that it entered into a consent order with EyeMed Vision Care LLC for alleged violations of New York’s Cybersecurity Regulation related to a cybersecurity event. EyeMed is licensed to sell life, accident and health insurance in New York by the Department and subject to oversight by the Department.
Read More

On December 9, 2022, certain provisions of the updated FTC Safeguards Rule will take effect. The provisions of the updated Safeguards Rule mentioned below were adopted in December of 2021 but are not effective until December 9, 2022, to allow time for compliance. The Safeguards Rule is applicable to “financial institutions,” which include non-bank financial institutions like non-bank lenders and companies acting as a finder along with other entities engaged in activities financial in nature or incidental to such financial activities.
Read More

The New York Department of Financial Services released revised regulations implementing the Commercial Finance Disclosure Law. These regulations set forth the precise formatting and calculation methods providers must use to make commercial financing offers in amounts under $2.5 million. This version was released after 18 comments were submitted to the Department during the public comment period. The revised regulations propose several key changes and clarifications. Read More

On August 29, 2022, Blue Ridge Bank (“Bank”), which has $2.8 billion in assets, entered into a formal written agreement with the Office of the Comptroller of the Currency (“OCC”) regarding the Bank’s oversight of its fintech partners. The OCC found unsafe and unsound practices relating to Bank oversight of third-party risk, Bank Secrecy Act/Anti-Money Laundering risk management, suspicious activity reporting and information technology control and risk
governance.

The OCC enforcement action agreement requires the Bank to take certain steps to improve third-party oversight and risk management, including the establishment of a majority-independent Compliance Committee, which must be approved by the Assistant Deputy Comptroller. Additionally, the Bank must adopt and implement a written program to assess and manage the risks posed by fintech partnerships, taking into consideration previous OCC guidance on community bank partnerships with fintechs. The Bank must also obtain OCC non-objection prior to onboarding new fintech partners or offering new products or services with existing fintech partners. Read More

The entire Eleventh Circuit Court of Appeals reheard Hunstein v. Preferred Collection and Management Services and reversed the previous panel holding. The entire Eleventh Circuit now holds (8 to 4) that plaintiff Hunstein failed to allege a concrete harm that would provide Article III standing to pursue his claims in federal court. Previously, a three-judge panel of the Eleventh Circuit previously found Hunstein had standing to sue, which spawned thousands of
copycat cases across the country. See our ALERT dated Nov. 18, 2021.

This case does not address the underlying substantive question of whether the use of a third party letter vendor violates the Fair Debt Collection Practices Act (“FDCPA”), however. The case only addresses whether Hunstein has standing to sue in federal court. The majority opinion takes care to state that its holding is that Hunstein himself did not have standing to sue because there was no public disclosure of his private debt information. The district court proceedings did not go beyond a motion to dismiss so the factual record is limited and the court’s discussion is limited solely to the issue of standing based on the pleadings. Read More

The California Attorney General Rob Bonta announced a settlement with Sephora, Inc. involving certain alleged California Consumer Privacy Act (“CCPA”) violations.

The complaint against Sephora alleged that Sephora did not properly process certain consumer opt out requests, did not disclose to consumers that their personal information was being sold and failed to clearly and conspicuously post a “Do Not Sell My Personal Information” link in violation of the CCPA.

According to the complaint, Sephora also allegedly allowed third parties tracking software to create profiles on their customers in violation of the CCPA through the collection of the brand of customers’ computers, what customers placed in their “shopping cart” and even customers’ precise locations, among other information.

Under the settlement, Sephora is required to provide notice to consumers of the sale of their personal information and to process certain consumer opt out requests. Sephora has 180 days from the effective date of the settlement to comply with its terms and must enact a program to assess and monitor the effectiveness of certain required remedial measures. Sephora is also subject to a monetary penalty of $1.2 million. Read More

Recently the CFPB released an interpretative rule providing that certain digital marketers may be considered “service providers” under the Consumer Financial Protection Act (“CFPA”) and thus subject to the CFPA’s prohibition on unfair, deceptive or abusive acts or practices (“UDAAP”). The CFPA is applicable to service providers who provide a material service to “covered persons” under the CFPA.

In the interpretative rule, the CFPB determined that digital marketers engage in a material service when they assist in developing content strategies through identifying and selecting prospective customers or assisting in selecting or placing content to influence customer engagement. The CFPB also noted that digital marketers also may provide a material service when they identify customers and attempt to acquire those customers because it is a significant component of offering a consumer financial product.

Digital marketers may be excluded from the definition of a service provider under CFPA’s time or space exception. Read More

Last month, the Federal Trade Commission filed a complaint and executed a stipulated order against First American Payment Systems and two companies that market First American’s payment processing services. The FTC alleged that First American and its marketers violated the Federal Trade Commission Act (“FTCA”) and the Restore Online Shoppers’ Confidence Act (“ROSCA”).

First American provides payment processing services to small businesses and sole proprietors to allow them to take credit and debit cards. The FTC alleged that First American tricked its merchants by (i) failing to disclose that First American’s services would automatically renew unless terminated, (ii) failing to disclose the services have an early termination fee and (iii) improperly debiting merchants’ bank accounts.

While the FTCA broadly regulates all commerce, the ROSCA prohibits certain sales practices for selling of goods or services to “consumers” over the internet. That the FTC alleged a violation of ROSCA’s consumer protections in regard to business-to-business transactions shows the FTC’s willingness to broaden the scope of consumer protection statutes. Read More