Tag Archives: Financial Regulators

Privacy in the Land of California

For those of you that live in California, work in California or have customers in California, 2021 is going be different.

Probably more complicated for businesses and possibly a little better for consumers.

Act 1: CA AB-1864 creates the Department of Financial Protection and Innovation (DFPI). California is not particularly happy that the Republican administration in Washington has defanged the Consumer Financial Protection Bureau. My personal opinion is that there are people in the legislature who are not happy that Xavier Becerra, the California AG, has been less than enthusiastic about enforcing CCPA.

The result is DFPI, aka California’s own CFPB. The governor is expected to sign the bill later this month.

Like the CFPB was supposed to do, the DFPI will have the power to bring administrative and civil actions, issue subpoenas and create rules and regulations. It also requires that all money collected by the department (AKA fines) will be used to fund the department. If the commissioner wants more staff … issue more fines.

For many of our clients, there is good news. Escrow agents, mortgage originators, broker-dealers, banks and other financial institutions are exempted from this regulation.

Who is not exempted are fin-tech companies. They need to watch out. The text of the bill can be found here.

Act 2: The second bill is SB-908, which will require debt collectors to be licensed. And regulated. Mortgage lenders are NOT exempted from the provisions of this bill. The governor is expected to sign this bill as well.

Given the current financial “troubles” in the country now and in the foreseeable future, there is going to be a lot of non-performing debt. For debtors in California, this bill will attempt to make the debt collection process a little more civil. Given the reputation of the industry as a whole, civil is not a term that I would generally use when describing the process. Of course, there are many exceptions. The text of this bill can be found here.

Act 3: The last bill in the collection is CA AB-376, which establishes a student loan borrower bill of rights. Among other things, this bill, which will be enforced by the new DFPI, requires loan servicers to operate like a fiduciary by managing payments to the benefit of the borrower and to reduce fees to the borrower.

The bill would allow a borrower that suffers damages as a result of a debt collector’s failure to follow this law or other relevant federal laws to sue the debt collector for actual damages, injunctive relief, restitution, attorney’s fees and other relief, including treble damages in some cases. The text of this bill, which the governor is also expected to sign, is available here.

This is not all; there is CCPA 2.0, but I will leave that for another day.

As you can see, for folks living, working or doing business in California, 2021 will be an interesting year.

Also remember, where California leads, the rest of the country follows. If you don’t believe that, check out CA SB 1386, the 2002 law that created privacy rights and the basis of state law in virtually every state in the country.

NY Regulator Unveils Proposed New Cyber Security Regulations

When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules.  Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.

This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations.  And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator.  Their goal is to get everyone to adopt the same basic rules.

So what is in this gem?  If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out.  Here they are:

  • 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response.  That is just one of the items.
  • Third party service provider management
  • Multi-factor authentication
  • Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
  • Application security procedures, guidelines and standards
  • Cyber security staff and intelligence
  • Cyber security audit
  • Notification of the department in the event of any cyber security incident.

While this is only a proposal and may change, it likely will not “go away”.

If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.




Information for this post came from the WSJ and Reuters.