Category Archives: Legal

California Passes Suite Of New Privacy Laws

Source: site

California continues to be at the vanguard of privacy protection. On October 11, 2021 California’s Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:

  • AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out right. This exemption applies to vessel information and ownership information shared between vessel owners and dealers, if the sharing is because the entity anticipates or is effectuating a warranty repair or vessel recall.
  • AB 430, which amends California’s identity theft and debt collection laws. The amendment permits victims of identity theft to provide an FTC identity report in lieu of a police report in instances (i.e., stopping debt collection, civil judgment for identity theft) that formerly required a police report.
  • AB 694, which adds technical and non-substantive changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency’s authority begins six months after it notifies the AG that it is prepared for rulemaking.
  • AB 825, which expands California’s existing data breach notification laws to include genetic data in the definition of “personal information.” This indirectly broadens the CCPA’s private right of action for some data breaches that use this definition.
  • AB 1391, which addresses the sale of data obtained unlawfully. This law:
    • prohibits selling data and selling access to data that was obtained pursuant to the commission of a crime;
    • makes buying data unlawful if the buyer has actual or constructive knowledge that the data was accessed or obtained through criminal activity; and
    • carves out exceptions including press reporting matters of public concern, whistleblowers, and obtaining data for specific security purposes.
  • AB 1184, which amends the Confidentiality of Medical Information Act and the Insurance Code to increase privacy protections for patients receiving sensitive healthcare services including mental health, reproductive health, and gender-affirming care. The law restricts certain disclosures even where the patient is not their health insurance’s policyholder.

California also joins a minority of states in passing a new law protecting the privacy of genetic information. SB 41, which creates the Genetic Information Privacy Act, requires direct-to-consumer genetic testing companies to:

  • clearly inform consumers how the company collects, uses, maintains, and discloses genetic data;
  • obtain express consent for use, collection, and disclosure of genetic data;
  • obtain separate express consent for specific activities including transfers to third parties, storage of biological samples, and marketing facilitated by genetic data;
  • implement mechanisms through which consumers may easily access and delete their account and genetic data;
  • destroy the consumer’s sample and associated data within 30 days of consent revocation, unless the company is otherwise prohibited from doing so; and
  • maintain and implement reasonable security practices and procedures.

Notably, none of the new laws passed by California permit a new private right of action. AB 825, however, adds genetic data to the definition of “personal information” under California Civil Code § 1798.81.5(d)(1)(A) and thus expands the CCPA private right of action for data breaches involving “personal information” under this law.

AB 1184 increases protections for certain medical information that is particularly sensitive (mental health, reproductive health, gender-affirming care). The Confidentiality of Medical Information Act (CMIA) already has a private right of action for negligent release of medical information. Thus, the private right of action is expanded to include violations of the heightened protections that result in negligent release of the sensitive info.

CFPB Updates Supervision and Examination Manual, Adds IT Examination

Source: site

The CFPB updated its Supervision and Examination Manual by adding a new section titled Compliance Management Review – Information Technology.  The new examination procedures are meant to assist CFPB examiners when assessing an entity’s information technology (IT) controls as part of a Compliance Management System (CMS) review.  Among other things, the new exam procedures outline the following five modules:  (i) Board and Management Oversight; (ii) Compliance Program; (iii) Service Provider Oversight; (iv) Violations of Law and Consumer Harm; and (v) Examiner Conclusions and Wrap-Up.  Each module focuses on the components of a compliance program and the IT function, including policies and procedures, training, monitoring and/or audit, and consumer complaint response.

Putting Into Practice:  Central to the new exam procedures is the CFPB’s focus on the IT controls of an institution’s service providers.  The new section notes that third-party arrangements may “expose institutions to risks when not managed properly” and that institutions “cannot outsource the responsibility for complying with Federal consumer financial laws or managing the risks associated with service provider relationships.”  The CFPB’s supervisory authority over service providers was granted under Title X of Dodd-Frank and then clarified in later guidance (See CFPB Compliance Bulletin and Policy Guidance 2016-02).  Third-party risk management has also been a recent focus of the Federal Reserve, FDIC, and OCC (we previously discussed this latest trend in earlier Consumer Finance & FinTech Blog posts herehere, and here).

CFPB Enforcement Actions Zero in on Income Share Agreements and “Payday Alternative” Loans

Source: site

In September 2021, the CFPB took action against Better Future Forward, Inc. (BFF), a provider of student income share arrangements, and LendUp, an online, subprime consumer lender. In both cases, the CFPB alleged that the target company violated the Dodd-Frank Act by deceiving customers as to the nature or consequences of their transactions with those companies. The BFF and LendUp actions reflect the CFPB’s renewed focus on educational loans and subprime consumer loans, a trend expected to intensify under newly confirmed CFPB Director Rohit Chopra.

  1. Income Share Agreements

On September 7, the CFPB issued a consent order against Better Future Forward, Inc. (BFF), a provider of income-share agreements (ISAs). ISAs are an alternative to traditional student loans in which a provider advances funds for postsecondary education in exchange for future payments based on a percentage of the student’s post-graduation income. Unlike a loan, the ISA agreement does not contain an unconditional obligation to repay a fixed amount. Instead, the student’s obligation is satisfied when she either pays the maximum repayment amount (the “payment cap”) or a certain period of time passes. If the student’s income falls below a specified threshold for a given month, no payment is required.

Many ISA providers rely on this lack of an absolute repayment obligation to distinguish their transactions from loans, which are subject to the federal Truth-in-Lending Act and other consumer financial protection statutes. However, the CFPB did not directly address the conditional nature of the repayment obligation in the September 7 order. Instead, the abbreviated analysis focused on the definition of “credit” in the Dodd-Frank Act, which is the right to “incur a debt and defer its payment.”1 The CFPB found that the ISAs in question met the definition of “credit” despite the lack of an absolute obligation to repay and the provider’s acceptance of the risk of non-payment.2

The CFPB’s characterization of BFF’s ISA transactions as loans formed the basis for the following violations of the Truth-in-Lending Act identified in the consent order:

  • Failing to make required cost-of-borrowing disclosures;
  • Failing to disclose that a bankruptcy filing may not relieve the borrower of her obligation to repay the loan; and
  • Illegally imposing a prepayment penalty on a private education loan (by adding a non-refundable 10% to the payment cap at origination).

The CFPB also noted that the “growth component” BFF added to the advance amount was indistinguishable from the finance charge on a traditional loan. However, the consent order does not rely on this point in classifying the ISAs as loans.

The CFPB did not impose civil penalties on BFF, citing its cooperation. However, the ISA industry is now on notice that the CFPB considers these transactions to be loans for purposes of compliance with consumer financial protection statutes that the CFPB enforces.

  1. Online Consumer Loans

On September 8, 2021, the CFPB filed suit against Flurish, Inc. (d/b/a LendUp) in the United States District Court for the Northern District of California. The complaint alleges that the company was engaged in continuing deceptive practices that violated the Dodd-Frank Act and a 2016 consent order based in part on the same conduct. The 2016 order required LendUp to pay approximately $1.83 million in redress and pay a $1.8 million penalty for falsely representing to borrowers that, by repaying on time and taking free financial education courses, they could ascend the “LendUp Ladder” and access lower interest rates and larger principal amounts on future loans.

In the September complaint, the CFPB alleged that, while the 2016 order was in effect, higher-level borrowers often paid the same or higher interest rates relative to lower-level borrowers for identical loans. Additionally, higher-level borrowers often could not access the promised higher loan amounts, and some had their loan caps unilaterally reduced. In short, LendUp misled borrowers about the effects of repeat borrowing. The CFPB also alleged in the September order that LendUp violated the Equal Credit Opportunity Act (ECOA) by failing to provide timely and accurate adverse action notices.

Repeat borrowing, and a perceived lack of borrower awareness around its consequences, was a major focus of the CFPB during the Obama Administration. In the waning days of Obama-appointed director Richard Cordray, the CFPB issued a controversial rule requiring short-term, small-dollar lenders to underwrite to the applicant’s ability to repay the loan without re-borrowing. The underwriting provisions of the so-called payday lending rule were rescinded in a 2020 rulemaking under Trump appointee Kathy Kraninger.

The CFPB’s suit against LendUp, though based in part on the company’s violation of a 2016 consent order, shows the agency’s continuing sensitivity to issues associated with repeated use of small-dollar loans. Given its considerable investment in addressing “cycle of debt” issues, the CFPB may renew these efforts either through a new rulemaking or targeted enforcement of the Dodd-Frank prohibitions on unfair, deceptive and abusive acts or practices.

Additionally, given the CFPB’s recent focus on small business lending and related data collection, providers of loans to small businesses (particularly sole proprietors) should stay alert to CFPB enforcement activity in the consumer space. Although the Truth-in-Lending Act applies solely to consumer transactions, the ECOA imposes notice and non-discrimination requirements on small business loans in addition to consumer loans.


1 12 U.S.C. § 5481(7).
2 Similar factors have been cited by courts and regulators in determining that two other loan-alternative products, earned wage access and merchant cash advance, are not loans under some circumstances. However, the BFF action is consistent with the CFPB’s position that third-party litigation funding arrangements are loans. See 201702_cfpb_RD-Legal-complaint.pdf (

Education Department Extends Navient Student Loan Servicing Contract, But Not FedLoan

Source: site

Student Loan Servicing Changes

Last month, Navient announced that it intends to exit the U.S. Department of Education’s loan servicing system. Just weeks prior to that, FedLoan Servicing and Granite State Management & Resources — two other major loan servicers for the Department — had also announced their withdrawal.

As a result of the cascade of student loan servicer exits, the Department would have to transfer millions of borrowers who have Department-held federal student loans to a new servicer. Navient had proposed an arrangement with a company called Maximus, another loan servicing company that primarily handles the Department’s defaulted federal student loans, to take over Navient’s accounts. That arrangement would need to be approved by the Biden administration.

Loan Servicing Contract Extension for Navient

Today, the Department announced it has extended Navient’s loan servicing contract to December of 2023. As a result, Navient may continue to service government-held federal student loans for another two years, reducing the chances of imminent servicing transfers for student loan borrowers.

However, the Department also indicated that it is still evaluating Navient’s proposal to transfer its Direct loan servicing portfolio to Maximus. “Navient… signed a contract extension, although the Department is currently reviewing a recently submitted request from Navient to transfer its contract to Maximus,” wrote the Department. Thus, notwithstanding the contract extension, it is possible that, if approved, Navient’s proposal could still go into effect, albeit on a less-rushed timeline.

No Loan Servicing Contract Extension for FedLoan Servicing

FedLoan Servicing — the Department of Education servicing wing of the Pennsylvania Higher Education Assistance Agency (PHEAA) — was not granted a two-year contract extension. FedLoan also recently announced its withdrawal from the Department’s federal student loan servicing system, a particularly disruptive development given that FedLoan is the sole servicer contracted to administer the troubled Public Service Loan Forgiveness (PSLF) program. Similarly, there is no contract extension for Granite State Management & Resources, another departing loan servicer.

“FSA is in the process of transferring those loans to remaining servicers,” wrote the Department. Some FedLoan accounts are already being transferred to MOHELA, an existing Department loan servicer. However, the Department has not confirmed that all FedLoan accounts will be transferred to MOHELA, and many still remain with FedLoan for now.

Other Student Loan Servicers

The Department has agreed to a two-year extension of servicing contracts for other major federal student loan servicers including Great Lakes Higher Education, HESC/Edfinancial, MOHELA, Nelnet

, and OSLA Servicing. That reduces the chances that there will be further abrupt withdrawals of loan servicers from the Department of Education’s servicing system in the near term.

The Department also indicated that the contract extensions will include stronger oversight and consumer protections for borrowers including “stronger standards for performance, transparency, and accountability.”

“FSA is raising the bar for the level of service student loan borrowers will receive,” said FSA Chief Operating Officer Richard Cordray. “Our actions come at a critical time as we help borrowers prepare for loan payments to resume early next year. The great work done by our negotiating team here enables us to ensure that loan servicers meet the tougher standards or face consequences.”

The Department characterized these steps as an initial phase of a larger process to transform and improve federal student loan servicing for borrowers going forward.

Further Reading

Student Loan Forgiveness Changes: Who Qualifies, And How To Apply Under Biden’s Expansion Of Relief

Huge Student Loan Servicing Shakeup: This Major Loan Servicer Is Ending Its Contract

Student Loan Servicing Transfers Begin This Week As Servicer Upheaval Expands: Key Details

Student Loan Borrowers: Expect These 4 Things By January

CFPB enters into second settlement with reverse mortgage provider

Source: site

Last week, the CFPB simultaneously filed a lawsuit against American Advisors Group (AAG) in a California federal district court and a proposed stipulated final judgment and order to settle the lawsuit.  The lawsuit alleged that AAG inflated estimated home values in marketing its reverse mortgage product and made false representations about AAG’s effort to ensure home value information was reliable.

In 2016, the Bureau entered into a consent order with AAG to settle claims that AAG engaged in deceptive advertising in violation of the Mortgage Acts and Practices-Advertising Rule (Regulation N) and the Consumer Financial Protection Act.  In addition to requiring AAG to pay a civil money penalty of $400,000, the consent order contained a provision prohibiting AAG from violating the CFPA for five years, or until December 2021.

In its new complaint, the CFPB claimed that AAG’s alleged use of inflated home values and false representations about its efforts to ensure home value information is reliable constituted deceptive acts or practices in violation of the CFPA.  It also alleged that by engaging in such deceptive acts or practices, AAG violated the consent order.  The CFPB claimed that by violating the consent order, AAG violated federal consumer financial law because the consent order, as an order prescribed by the Bureau, constitutes a federal consumer financial law.

The proposed stipulated final judgment and order requires AAG to pay a $1.1 million civil money penalty and $173,400 in consumer redress to consumers who received mailers from AAG with estimated home values, paid for and received appraisals with property values lower that AAG’s estimates, and decided not to proceed in obtaining a reverse mortgage from AAG.  It also prohibits AAG from engaging in deceptive practices generally and, in connection with marketing its consumer financial products, it prohibits AAG from misrepresenting any fact material to consumers, including, but not limited to, home values.  Additionally, AAG must submit a compliance plan to the CFPB and include links to specific CFPB materials about reverse mortgages in its direct mail solicitations and in welcome communications to borrowers with newly-originated reverse mortgages.