Compliance Newshub
State News

Ballard Sparh, LLP--Scott M. Pearson

The California Department of Business Oversight (DBO) has issued an invitation for comments from stakeholders in developing regulations to implement SB 1235, the bill signed into law on September 30, 2018 that requires consumer-like disclosures to be made for certain commercial financing products, including small business loans and merchant cash advances.  Companies providing such financing are not required to comply with the new disclosure requirements until the DBO’s final regulations become effective.

The DBO’s invitation provides an important opportunity for providers of commercial financing products to engage with and educate the DBO as it develops proposed regulations.  Comments must be submitted by January 22, 2019.

In the invitation, the DBO lists the following 14 specific potential topics for rulemaking:

• Definitions (The DBO’s questions include whether the definitions can be read to cover transactions, individuals, or entities not intended to be regulated by the disclosure requirements or result in ambiguity regarding whether a transaction, individual, or entity is subject to the disclosure requirements.)
• Commercial financing requiring estimated term disclosures (The DBO asks what commercial financing transactions may require an estimated term disclosure and why and suggests that stakeholders provide sample contracts that may require such a disclosure.)
• Disclosure of method, frequency, and amount of payments for commercial financing with flexible or contingent repayment obligations (The DBO suggests that stakeholders provide examples of these types of financing and asks how providers should make the disclosures required for such contracts.)
• Annualized rate disclosure (The DBO notes different methods that might be used for the annualized rate disclosure and asks about the benefits and drawbacks of each disclosure and ways to reduce potential confusion to financing applicants caused by the disclosure.)
• Types of commercial financing (The DBO asks for examples of transactions other than fixed-rate, fixed-payment financing that are subject to SB 1235 (noting such examples may include merchant cash advances and recourse and non-recourse factoring), anticipated compliance obstacles in such transactions, and how the DBO can address such obstacles.)
• Types of financing requiring estimated annualized rates (The DBO asks for the types of commercial financing that will require estimated annualized rates and why.)
• Fees and charges included in an annualized rate calculation (The DBO asks what fees and charges should be included in the calculation.)
• Calculating estimated terms and estimated annualized rates (The DBO asks how estimated terms and rates should be calculated for the transactions subject to SB 1235, such as transactions with payments set as a percentage of a business’s gross receipts.)
• Reliance upon internal underwriting criteria to calculate estimated terms and estimated annualized rates (The DBO asks if the calculation methodology it establishes should require a provider to rely upon the internal assumptions or calculations it used to underwrite the transaction.)
• Explanatory and qualifying language in connection with estimated terms and estimated annualized rates (The DBO asks what explanatory and qualifying language providers should include when disclosing such estimates.)
• Disclosures for factoring and asset-based lending transactions with master financing agreements (The DBO asks what rules it should establish to clarify when disclosures based on estimates are permitted and to govern what examples, such as financing amount, a provider may use in disclosures.)
• Tolerances (The DBO asks what accuracy requirements and tolerances it should establish and why.)
• Disclosure formatting (The DBO asks what information should be highlighted or prioritized and about the placement and font to be used.)
• Prepayment policies (The DBO asks what prepayment policies and charges are common for transactions subject to SB 1235 and how such policies and charges are currently characterized to customers.)

Ballard Spahr LLP--Scott M. Pearson 

The California Department of Business Oversight (DBO) has issued an invitation for comments from stakeholders in developing regulations to implement SB 1235, the bill signed into law on September 30, 2018 that requires consumer-like disclosures to be made for certain commercial financing products, including small business loans and merchant cash advances.  Companies providing such financing are not required to comply with the new disclosure requirements until the DBO’s final regulations become effective.

The DBO’s invitation provides an important opportunity for providers of commercial financing products to engage with and educate the DBO as it develops proposed regulations.  Comments must be submitted by January 22, 2019.

In the invitation, the DBO lists the following 14 specific potential topics for rulemaking:

• Definitions (The DBO’s questions include whether the definitions can be read to cover transactions, individuals, or entities not intended to be regulated by the disclosure requirements or result in ambiguity regarding whether a transaction, individual, or entity is subject to the disclosure requirements.)
• Commercial financing requiring estimated term disclosures (The DBO asks what commercial financing transactions may require an estimated term disclosure and why and suggests that stakeholders provide sample contracts that may require such a disclosure.)
• Disclosure of method, frequency, and amount of payments for commercial financing with flexible or contingent repayment obligations (The DBO suggests that stakeholders provide examples of these types of financing and asks how providers should make the disclosures required for such contracts.)
• Annualized rate disclosure (The DBO notes different methods that might be used for the annualized rate disclosure and asks about the benefits and drawbacks of each disclosure and ways to reduce potential confusion to financing applicants caused by the disclosure.)
• Types of commercial financing (The DBO asks for examples of transactions other than fixed-rate, fixed-payment financing that are subject to SB 1235 (noting such examples may include merchant cash advances and recourse and non-recourse factoring), anticipated compliance obstacles in such transactions, and how the DBO can address such obstacles.)
• Types of financing requiring estimated annualized rates (The DBO asks for the types of commercial financing that will require estimated annualized rates and why.)
• Fees and charges included in an annualized rate calculation (The DBO asks what fees and charges should be included in the calculation.)
• Calculating estimated terms and estimated annualized rates (The DBO asks how estimated terms and rates should be calculated for the transactions subject to SB 1235, such as transactions with payments set as a percentage of a business’s gross receipts.)
• Reliance upon internal underwriting criteria to calculate estimated terms and estimated annualized rates (The DBO asks if the calculation methodology it establishes should require a provider to rely upon the internal assumptions or calculations it used to underwrite the transaction.)
• Explanatory and qualifying language in connection with estimated terms and estimated annualized rates (The DBO asks what explanatory and qualifying language providers should include when disclosing such estimates.)
• Disclosures for factoring and asset-based lending transactions with master financing agreements (The DBO asks what rules it should establish to clarify when disclosures based on estimates are permitted and to govern what examples, such as financing amount, a provider may use in disclosures.)
• Tolerances (The DBO asks what accuracy requirements and tolerances it should establish and why.)
• Disclosure formatting (The DBO asks what information should be highlighted or prioritized and about the placement and font to be used.)
• Prepayment policies (The DBO asks what prepayment policies and charges are common for transactions subject to SB 1235 and how such policies and charges are currently characterized to customers.)

Ballard Sparh, LLP--David M. Stauss, Gregory P. Szewczyk & Malia K. Rogers 

For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation.

Pre-Existing California Laws

1. Data Breach Notification Statute

California Civil Code § 1798.82 requires persons or businesses that conduct business in California to notify California residents if the person or business suffers a security breach involving “personal information.” Notably, Section 1798.82(h), defines “personal information” much narrower than the CCPA, to be either of the following:

1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number

(B) Driver’s license number or California identification card number

(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account

(D) Medical information

(E) Health insurance information

(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5

2. A user name or email address in combination with a password or security question and answer that would permit access to an online account

The statute requires notice to be provided to affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

2. Duty to Implement and Maintain Reasonable Security Measures

California Civil Code § 1798.81.5 provides that a “business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The law also requires any business that discloses personal information pursuant to a contract with a nonaffiliated third party to require that nonaffiliated third party to implement and maintain reasonable security procedures and practices.

The definition of “personal information” in Section 1798.81.5 is nearly identical to that in Section 1798.82, except that Section 1798.82 covers automated license plate recognition systems and Section 1798.81.5 excludes redacted information as well as encrypted information.

While the definition of “reasonable security procedures and practices” remains elusive, in February 2016, the California Attorney General’s office issued a reportstating:

The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

The CIS controls are available here.

3. Private Right of Action

Prior to the CCPA, California law already provided for a private right of action for violations of the data breach notification and information security statutes. Cal. Civ. Code § 1798.84(b). However, that private right of action does not provide for statutory damages like the CCPA’s private right of action.

History of the CCPA’s Private Right of Action

1. Ballot Measure

The CCPA originated as a ballot measure. Section 1798.108 of the ballot measure would have permitted consumers to bring a civil action for statutory damages for “a violation of this Act.” Consequently, that private right of action would have covered not only security breaches, but also violations of the CCPA’s various privacy rights.

The ballot measure also specified that a violation of the Act “shall be deemed to constitute an injury in fact to the consumer who has suffered the violation.” That provision was directed at assuring that consumer plaintiffs could overcome a motion to dismiss based on lack of standing due to not having suffered a cognizable injury. The statutory damages set forth in the ballot measure were $1,000 “for each violation” or $3,000 for knowing and willful violations.

Additionally, Section 1798.112 would have allowed California residents to sue businesses for the same statutory damages for a security breach of consumer personal information under Section 1798.82 if the business failed to implement and maintain reasonable security procedures and practices.

The ballot measure was withdrawn from the ballot because of the passage of the CCPA.

2. Assembly Bill 375

In order to cause the withdrawal of the ballot measure, the California legislature quickly pushed through AB-375. For a discussion of the enactment of AB-375, see our blog post here. The private right of action in AB-375 was vastly different from the one in the ballot measure, stating:

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . .

Thus, AB-375 eliminated—in theory—the private right of action for violations of the CCPA’s privacy-related rights that would have been covered by the ballot measure’s private right of action.

We write “in theory” because one of the final changes to this section before it was enacted was that the phrase “an unauthorized access and exfiltration, theft, or disclosure” was inserted in place of “a security breach of the business as defined in Section 1798.82.” Therefore, it was foreseeable that plaintiffs’ attorneys would argue that the change signaled an intent to broaden the private of action beyond security breaches to the privacy-related rights in the CCPA. For example, a business’s failure to allow a consumer to opt out of the business selling the consumer’s personal information to a third party could be interpreted as an “unauthorized access [and] disclosure.”

Unlike the ballot measure, AB-375’s private right of action did not provide that a violation constituted an “injury in fact,” and it lowered the statutory damages to not less than $100 and not greater than $750.  However, it changed “per violation” to “per consumer per incident.” In theory, the ballot measure could have been interpreted on a per consumer basis; however, AB-375 made this explicit, thereby creating a significant statutory penalty.

Additionally, if a consumer sought statutory damages (as opposed to pecuniary damages), AB-375’s private right of action required the consumer to provide a business with notice of the alleged violations and 30 days to “cure” them. A consumer was barred from filing suit if the business cured the violation and provided the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.”

The consumer also had to notify the Attorney General’s office within 30 days of filing the lawsuit and provide the Attorney General’s office with the opportunity to (1) prosecute the alleged violation, (2) instruct the consumer not to proceed, or (3) allow the lawsuit to proceed.

3. Senate Bill 1121

Only a few months after AB-375 was enacted, California passed SB 1121, which began what is expected to be a year-plus long process of modifying the CCPA prior to its January 1, 2020 effective date.

SB 1121 modified the private right of action in significant ways. First, in an apparent attempt to address the scope of the private right of action, SB 1121 added Paragraph (c) to Section 1798.150, which states, in relevant part:

The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.

The preamble to the bill further explained that “[t]his bill would clarify that the only private right of action permitted under the act is the private right of action . . . for violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”

SB 1121 also deleted the requirement that a consumer bringing a private right of action must notify the Attorney General and wait for authorization to proceed with the lawsuit. This change was most likely made in response to a letter from California Attorney General Xavier Becerra, stating that “[t]his provision has no purpose as the courts not the Attorney General decide the merits of private lawsuits” and the provision “imposes unnecessary personnel and administrative costs” on the Attorney General’s office.

Notably, in that same letter, Attorney General Becerra urged the California legislature to expand the private right of action to cover violations of the CCPA’s privacy-related rights:

Finally, the CCPA does not include a private right of action that would allow consumers to seek legal remedies for themselves to protect their privacy. Instead, the Act includes a provision that gives consumers a limited right to sue if they become a victim of a data breach. The lack of a private right of action, which would provide a critical adjunct to governmental enforcement, will substantially increase the [Attorney General’s Office’s] need for new enforcement resources. I urge you to provide consumers with a private right of action under the CCPA.

While SB 1121 did not adopt the Attorney General’s recommendation, it is certain that privacy advocates (and plaintiffs’ attorneys) will push the legislature to make this change prior to the January 1, 2020 effective date. If it does happen, the CCPA will lead to scores of privacy-related lawsuits.

What Should Companies Do?

You may already be aware that SB 1121 delayed the start of the Attorney General’s enforcement of the CCPA’s privacy rights to July 1, 2020. However, SB 1121 did not delay the January 1, 2020, effective date for the private right of action. Therefore, businesses should be taking steps now to avoid the CCPA’s significant statutory damages.

In so doing, businesses should bear in mind that the private right of action is not a strict liability statute. Rather, a litigant will need to prove that any data breach was due to a business’s failure to implement and maintain reasonable security procedures. Stated differently, private litigants will need to prove that a business was negligent and that the negligence was a cause of the breach.

Conversely, businesses that are able to demonstrate a documented history of taking affirmative steps to protect personal information will be well-situated to defend any data breach litigation. Perhaps the best starting point is to focus on existing California guidance. As explained, the California Attorney General’s office has stated that the CIS’s Controls are a minimum level of information security that organizations should meet. Therefore, performing a gap analysis of your organization’s information security practices against the CIS’s Controls is a logical place to start.

Additionally, businesses should document their information security procedures and practices through a written information security program. To develop such a program, businesses can look to information security standards promulgated by federal and state agencies. This would include, but not be limited to, HIPAA’s security and privacy rules, Federal Trade Commission guidance, Massachusetts regulation 201 CMR 17.00, and the New York Department of Financial Services cybersecurity regulations.

A written information security program should document administrative, technical, and physical safeguards that are appropriate for the size of the business and nature of the personal information the business maintains. Among other things, the program should document the business’s risk assessment and the controls employed to mitigate foreseeable risks, describe employee training measures, incorporate the business’s internal privacy policy, set forth the business’s policy for the discipline of employees who violate the privacy or security policies, and address third-party vendor management issues. It also is imperative that the organization develop a written cyber incident response plan addressing foreseeable types of incidents.

Finally, in an upcoming series of blog posts, we will continue to examine the concept of reasonable data security and offer further thoughts on what policies and practices businesses ought to adopt to meet this elusive and slippery standard.

Ballard Spahr LLP--Alan S. Kaplinsky

In August 2018, Arizona began accepting applications for its regulatory sandboxthat “enables a participant to obtain limited access to Arizona’s market to test innovative financial products or services without first obtaining full state licensure or other authorization that otherwise may be required.”  The state’s Attorney General is responsible for the application process and oversight of the sandbox.  At the end of last week, the Arizona AG announced that two more participants, Grain Technology, Inc. and Sweetbridge NFP, Ltd., had been added to the state’s sandbox.

In October 2018, there was an announcement by the AG that Omni Mobile Inc. had become the first sandbox participant.  The AG’s press release described Omni as “a mobile payment platform aiming to test cheaper and faster payment transfers through its centralized wallet infrastructure.”  It indicated that the product would be tested by processing guest payments at an Arizona resort, with Arizona-resident guests to receive a disclosure agreement (regarding the company’s participation in the sandbox), an explanation of the test nature of the product, a privacy notice, and the ability to opt out of any information sharing with the resort.

The AG’s announcement regarding Omni was accompanied by an announcement that the AG’s Office had signed a cooperation agreement with Taiwan’s financial regulator, the Financial Supervisory Commission, with the goal of creating an information-sharing arrangement that might create opportunities for businesses to develop and test fintech products in both markets.

The two additional sandbox participants announced last week are described in the AG’s press release as follows:

• Grain Technology, Inc., based in New York, will test a savings and credit product in Arizona using proprietary technology to offer consumers customized savings plans and credit opportunities. Arizona consumers participating in the program will obtain access to a small line of credit aimed primarily at providing overdraft protection for bank accounts.  APRs for loans obtained through this line of credit may be as low as 12% for consumers who agree to follow a recommended repayment plan calculated using Grain’s technology (a standard APR of 15.99% will apply for those who adopt a different repayment plan).  Grain intends for loans and payments occurring through this line of credit to be reported to major credit-reporting agencies to enable consumers to build their credit profiles.
• Sweetbridge NFP, Ltd., a Scottsdale-based international nonprofit building blockchain protocols for supply chains and commerce, will test a lending product using proprietary blockchain technology with an APR cap of 20%.  At these rates, Sweetbridge’s product will allow consumers to obtain credit at up to 1/10th the cost allowed under Arizona law.

In September 2018, the CFPB proposed significant revisions to its “Policy to Encourage Trial Disclosure Programs,” which sets forth the Bureau’s standards and procedures for exempting individual companies, on a case-by-case basis, from applicable federal disclosure requirements to allow those companies to test trial disclosures.  The proposal followed Acting Director Mulvaney’s July 2018 appointment of Paul Watkins to serve as Director of the Bureau’s Office of Innovation.  Before joining the CFPB, Mr. Watkins was in charge of fintech initiatives in the Arizona AG’s Office and led the state’s efforts to create its regulatory sandbox.  The CFPB’s proposal includes a process for the CFPB to coordinate with sandbox programs offered by other regulators.

The Finance Commission of Texas (the commission), on behalf of the Texas Department of Banking (the department), adopts amendments to §§12.2, 12.3, 12.10, and 12.12, concerning the application of lending limits to credit exposure under derivative transactions and securities financing transactions, without changes to the proposed text as published in the August 30, 2013, issue of the Texas Register (38 TexReg 5616). The text will not be republished.

Last year, the commission adopted several new and amended sections in Chapter 12, Subchapter A, to comply with new federal law regarding application of the lending limit of Finance Code, §34.201, to such credit exposures, as published in the December 28, 2012, issue of the Texas Register (37 TexReg 10195) (the original adoption). The adopted provisions were modeled on the interim final rule of the Office of the Comptroller of the Currency (OCC) on the same subject, published in the June 21, 2012, edition of the Federal Register (77 Fed. Reg. 37265), for the reasons stated in the original adoption.

In general, a model based on the OCC approach takes advantage of the deeper capital markets expertise of the OCC. Further, state requirements similar to those imposed by the OCC on national banks tend to minimize the potential for regulatory arbitrage (converting from national bank to state bank) based on a perception of weaker state regulation. In anticipation that the OCC would ultimately revise its interim final rule, the commission indicated in its original adoption that further amendments would likely be proposed once the final disposition of the OCC rulemaking was known.

On June 19, 2013, the OCC released its final rule regarding procedures and methodologies for calculating the credit exposure under a derivative transaction or a securities financing transaction. Published in the June 25, 2013, edition of the Federal Register (78 Fed. Reg. 37930), the final rule had a number of changes made in response to comments. The amendments adopted today make similar changes. The explanations below are based in part on the OCC analysis and discussion at 78 Fed. Reg. 37930-37946 (June 25, 2013).

See link for additional details.

NOTICES

Adjustment to Definition of ''Base Figure'' in the Loan Interest and Protection Law 

[48 Pa.B. 6993] [Saturday, November 3, 2018]

The Department of Banking and Securities (Department), as required by the definition of ''base figure'' in section 101 of the act of January 30, 1974 (P.L. 13, No. 6) (41 P.S. § 101), known as the Loan Interest and Protection Law, is publishing the following notice regarding the inflation adjusted base figure for the calendar year 2019. The Department has determined that the current base figure of $250,324 adjusted for annual inflation using the ''Consumer Price Index—All Urban Consumers: U.S. All Items 1982—84 = 100'' published by the United States Department of Labor Bureau of Labor Statistics results in a base figure of $256,023. This new base figure will be effective January 1, 2019, for the calendar year 2019.

ROBIN L. WIESSMANN,  Secretary

[Pa.B. Doc. No. 18-1703. Filed for public inspection November 2, 2018, 9:00 a.m.]

Rhode Island Banking Bulletin 2018-4 provides forms that are required by R.I. Gen. Laws Chapter 34-27 and are designated for use in compliance with regulation 230-RICR-40-10-3 – Home Loan Protection.

FORM 1HLPA PROHIBITED ACTS OF LENDERS AND LOAN BROKERS IN R.I. GEN. LAWS § 34-25.2-1 et seq

• This form must be provided no later than three (3) business days of application.

FORM 2HLPA PROHIBITED ACTS OF LENDERS AND LOAN BROKERS IN R.I. GEN. LAWS § 34-25.2-1 et seq

• This form must be provided no later than three (3) business days of application.
  

FORM 3HLPA RHODE ISLAND HOME LOAN PROTECTION ACT DISCLOSURE TANGIBLE NET BENEFIT

• This form must be provided prior to or upon consummation of the home loan.

FORM 4HLPA RHODE ISLAND HOME LOAN PROTECTION ACT DISCLOSURE HIGH-COST HOME LOAN

• This form is to be provided to the applicant at such time that it is determined by the creditor that the new loan is a “high-cost home loan,” but in sufficient time as to enable the applicant to receive, prior to closing the loan, face-to-face counseling on the advisability of the high-cost home loan transaction, with a third party non profit organization. Applicant must complete, and creditor must receive a certificate of face-to-face counseling with a third-party non profit organization approved by the united states department of housing and urban development prior to making any high-cost home loan.

FORM 5HLPA RHODE ISLAND HOME LOAN PROTECTION ACT DISCLOSURE

• This form is to be provided to the applicant at such time that it is determined by the creditor that the new loan is a “high-cost home loan,” but in sufficient time as to enable the applicant to receive, prior to closing the loan, face-to-face counseling on the advisability of the high-cost home loan transaction, with a third party non profit organization. Applicant must complete, and creditor must receive a certificate of face-to-face counseling with a third-party non profit organization approved by the united states department of housing and urban development prior to making any high-cost home loan.

Buckley Sandler, LLP--InfoBytes Blog

On October 1, the Rhode Island Department of Business Regulation adopted amendments to its regulations relating to mortgage foreclosure disclosure notices and mediation conference obligations. The amendments—which are effective as of September 28—require entities and individuals regulated by the Rhode Island Division of Banking and non-exempt mortgagees to comply with the outlined foreclosure provisions. The provisions, among other items, (i) require use of the notice of pending foreclosure form; (ii) require provision of notice of mediation conferences to all mortgagors prior to initiating a foreclosure, in the specified manner; and (iii) outline qualifications for the mediation coordinator responsible for issuing certificates of compliance.

Bankers Advisory, Residential Mortgage Compliance Monitor--Elizabeth Dailey

The Colorado Department of Regulatory Agencies, Division of Real Estate, has adopted a provision regarding pre-licensing education requirements. This provision is effective as of November 14, 2018.

Under the new provision, applicants for licensure as a Colorado mortgage loan originator must successfully complete twenty hours of pre-licensing education within three years of the date of application for licensure. The previous provision did not include this time requirement.

Ballard Sparh, LLP--Alan S. Kaplinsky

As part of an investigation launched earlier this year into allegations of redlining in the Philadelphia area, the Pennsylvania Attorney General Josh Shapiro recently called on mortgage borrowers and home loan applicants in the Philadelphia area to file complaints with his office "if they believe they may have been victims of redlining or experienced irregularities when looking for a mortgage or home loan."

As examples of "redlining tactics or irregularities," the AG's press release lists:

• Difficulty getting an in-person appointment with a loan officer;
• Not receiving a written pre-approval or quote promised by the loan officer;
• Not receiving return phone calls from a loan officer; and
• Refusal to provide a loan application after the loan officer learns of the applicant's race, the racial makeup of the neighborhood where the applicant intends to buy the home, or other information relating to the area's racial or ethnic characteristics.

The Pennsylvania AG launched the redlining investigation in response to an investigative article that identified a pattern of discrimination in which African American borrowers were 2.7 times more likely to be denied a home mortgage in Philadelphia than white borrowers. The article found that white applicants received 10 times as many loans as black applicants, even though they made up similar proportions of the population. Based on an analysis of publicly available Home Mortgage Disclosure Act (HMDA) data, the article concluded that black applicants were denied conventional mortgage loans at significantly higher rates than white applicants in 48 cities, including Philadelphia.

The District of Columbia's AG as well as the AGs of other states, such as Washington, Illinois, Iowa, and Delaware, are reported to also be conducting redlining investigations. In 2015, the New York AG entered into a settlement with Evans Bank to resolve a lawsuit filed by the NY AG alleging that the bank had engaged in redlining. HMDA data was recently used by a Connecticut fair housing advocacy group to support redlining claims in a lawsuit filed in Connecticut federal district court alleging that Liberty Bank had engaged in discriminatory mortgage lending in violation of the federal Fair Housing Act.

We expect state AGs to continue to focus on redlining unless and until the Consumer Financial Protection Bureau and/or U.S. Department of Justice re-focus on the issue.

Ballard Spahr LLP--Alan S. Kaplinsky

By an overwhelming vote (approximately 1,4270,000 million to 433,000), Colorado voters passed Proposition 111, a ballot initiative that places a 36 percent APR cap on payday loans.  The question presented to voters was:

Shall there be an amendment to the Colorado Revised Statutes concerning limitations on payday lenders, and, in connection therewith, reducing allowable charges on payday loans to an annual percentage rate of no more than thirty-six percent?

As described on the Colorado Secretary of State’s website, Proposition 111 “would restrict the charges on payday loans to a yearly rate of 36 percent and would eliminate all other finance charges and fees associated with payday lending.”

Colorado’s Attorney General has indicated that at least half of all retail lenders closed their doors following the enactment of legislation in 2010 that restricted payday loan fees to an average APR of about 120%.  We suspect that Proposition 111 will have a similar effect, with only the most efficient operators remaining that can rely on sheer volume, sophisticated underwriting, and other product structures available under the Colorado Consumer Credit Code.

According to American Banker, the passage of Proposition 111 makes Colorado the fifth state to impose rate caps on payday loans through a voter referendum.  The other states to have done so are South Dakota, Ohio, Arizona, and Montana.

Ballard Spahr--John L. Culhane, Jr.

It has been reported that, without announcement or warning, the regulations applicable to third-party debt collectors in Massachusetts may have changed.  While the state’s Division of Banks (DOB) and the state’s Attorney General (AG) have traditionally regulated, respectively, third-party debt collectors and first-party creditors, the AG is reported to have changed its website recently to include third-party debt collectors as entities that it regulates.

Such a change could have significant implications because the AG’s rules differ from the DOB’s rules.  For example, the verification requirements under the AG’s rules contain more procedures than the DOB’s rules.  We expect industry trade groups to seek clarification from the DOB and AG.