Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

• On January 31, the Consumer Financial Protection Bureau (CFPB) published its Fall 2021 Unified Agenda in the Federal Register. For more information, click here.

• On January 27, the CFPB released its annual list of consumer reporting companies. The list identifies dozens of specialty reporting companies that collect and sell access to people’s data, including individuals’ finances, employment, check writing histories, or rental history records. For more information, click here.

• On January 27, the Federal Trade Commission (FTC) announced that consumers in 2021 reported losing about $770 million to fraud initiated on social media — about one fourth of all reported fraud losses for the year and an 18-fold increase from 2017, according to the FTC’s latest Consumer Protection Data Spotlight. For more information, click here.

• On January 26, the CFPB launched an “initiative,” which the regulator claims could “save households billions of dollars a year by reducing exploitative junk fees charged by banks and financial companies.” Consumers having an issue with a consumer financial product or service can submit a complaint with the CFPB online or by calling (855) 411-CFPB (2372). For more information, click here.

• On January 26, the Securities and Exchange Commission (SEC) proposed rules to expand Regulation ATS to govern alternative trading systems involved in trading securities, which may reach cryptocurrency exchanges and decentralized finance projects. The 654-page proposal would expand the definition of an “exchange” in Exchange Act Rule 3b-16(a) to include “communication protocol systems that make available for trading any type of security.” SEC officials previously stated their beliefs that many, if not all, digital assets qualify as securities. Republican SEC Commissioner Hester Peirce, in a dissenting statement, noted that “[e]ven if you have nothing to do with government securities or even fixed-income, or with traditional securities, read this release,” as “[i]t covers a lot of ground, and you should not assume that it has nothing to do with you, because it probably does.” The proposal has not yet been published in the Federal Register, which will start the 30-day public comment period. For more information, click here.

• On January 24, the CFPB published a notice and request for comment regarding its inquiry into buy-now-pay-later providers. For more information, click here.

State Activities:

• On January 28, the Texas Supreme Court announced that it is accepting comments on its proposed amendments to the Texas Rules of Civil Procedure notice of judgment and monetary damages, as well as service of writ of garnishment, before they take effect on May 1. The court may change the proposed amendments in response to the public comments, which are due by March 4 to rulescomments@txcourts.gov. For more information, click here.

• On January 26, New York Attorney General Letitia James announced a major win over WinRed in a consumer protection case. WinRed is a company that “processes online donations for the Republican Party” and “sued New York, Connecticut, Maryland, and Minnesota following the states’ inquiry into WinRed’s use of pre-checked recurring donation boxes in political solicitations.” The U.S. District Court for the State of Minnesota rejected WinRed’s jurisdictional challenges, which allows New York’s (and other states’) investigations into the company to proceed. For more information, click here.

• On January 25, the Florida Office of Financial Regulation (OFR) issued an investor advisory “to raise awareness about decentralized finance (DeFi), a relatively new blockchain-based group of financial services gaining popularity[.]” According to OFR Commissioner Russell C. Weigel, III, “DeFi-based companies offer lending, banking, and investing options that are decentralized and not dependent on traditional financial markets. This evolution of financial services is not necessarily a bad thing and may be a good thing, but before getting involved with a company or product in the DeFi market, take reasonable steps to understand the risks of this emerging blockchain-based technology and market.” The OFR states that it is “committed to allowing innovation to grow and thrive while protecting Floridians from bad actors.” For more information, click here.

• On January 25, a Republican state senator from Arizona introduced a bill to add a definition of “legal tender” into the law of Arizona, which would include bitcoin. SB 1341, which defines bitcoin to mean “the decentralized, peer-to-peer digital currency in which a record of transactions is maintained on the bitcoin blockchain and new units of currency are generated by the computation solution of mathematical problems and that operates independently of a central bank,” can be read here.

• On January 24, New York Attorney General Letitia James announced a $600,000 agreement with EyeMed after a 2020 data breach. According to the press release, the data breach compromised the personal information of approximately 2.1 million consumers nationwide, including 98,632 in New York. In addition to the monetary settlement, EyeMed agreed to “[p]ermanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it” and to “[e]ncrypting sensitive consumer information that it collects, stores, transmits and/or maintains.” For more information, click here.

Privacy and Cybersecurity Activities:

• On January 25, California Attorney General Rob Bonta issued a warning to Californians to beware of fake COVID-19 testing locations and websites. These scammers exploit vulnerable individuals by posing as legitimate companies and health care clinics offering COVID-19 testing. However, after receiving payment for a COVID-19 test, these fake testing sites often fail to provide patients with results. They also may ask for a patient’s personal identifiable information with the intent to commit fraud. Bonta provided several tips to avoid fake COVID-19 testing sites including: (1) only get tested at verified COVID-19 testing sites or through medical groups, (2) identify and avoid “lookalike” websites that look identical to well-known trusted organizations, and (3) be cautious of unsolicited calls regarding testing sites. For the full alert, click here.

• The FTC warned that social media platforms like Facebook and Instagram are a “gold mine” for crypto scammers. The latest consumer data report from the FTC saw a sharp spike in online fraud scheme, particularly bogus cryptocurrency ventures. Last year, consumers reported losing around $770 million to fraud that began with an ad or message on social media — up from $258 million from the year before and an 18-fold increase from 2017. These scams are typically either investment schemes, which involve consumers getting tricked into sending money on promises of huge returns but ending up with nothing, or shopping scams, where individuals purchase an item but never receive it. To read the two alerts, click here and here.

• On January 26, consumer privacy advocates sent a letter, urging lawmakers to pass a bill that would prevent law enforcement and intelligence agencies from buying Americans’ private data from telecom providers. The American Civil Liberties Union (ACLU) spearheaded the letter, which encouraged lawmakers to prioritize the “issue of government surveillance abuse.” To read the letter, click here.

• In honor of Data Privacy Day on January 28, the New York Department of Financial Services (NYDFS) released several tips to protect one’s consumer data. These include (1) being wary of unsolicited emails and telephone calls seeking personal information; (2) securing your mobile devices, including downloading software updates, (3) carefully using Wi-Fi hotspots, including limiting use of public Wi-Fi and cautiously logging into sensitive accounts; (4) using strong passwords; (5) varying the types of security questions used on different accounts; and (6) watching out for phishing. For the full list of tips and statement, click here.

• Nebraska State Senator Mike Flood (R-NE) proposed Legislature Bill 1188, which would enact the Uniform Law Commission’s Uniform Personal Data Protection Act (UPDPA). Nebraska is the first state to introduce the ULC’s framework, drafted with a goal toward universal adoption across states. The UPDPA calls for certain rights, including a right for users to access and correct data, opt-in requirements for individuals under the age of 13, and a prohibition on discrimination. Unlike other bills, it would not provide a private a right of action nor a right to deletion. To read the bill, click here.