Alston & Bird Consumer Finance Blog

State Law

New York State Proposes Consumer Protection Reforms through FAIR Business Practices Act

What Happened?

On March 13, New York state legislators introduced new legislation called the Fostering Affordability and Integrity Through Reasonable (FAIR) Business Practices Act.  The bill, supported by New York Attorney General Letitia James, aims to strengthen New York’s existing consumer protection law and would expand the law’s scope from only covering “deceptive” acts or practices to also include “unfair” and “abusive” practices.  It would apply in the consumer, as well as the small business context.

Why Is It Important?

The FAIR Act comes at a time when consumer protection at the federal level has stalled, particularly with respect to the activities of the Consumer Financial Protection Bureau (CFPB).   State attorneys general have promised to step in to address any resulting gaps in consumer protection.

The FAIR Act defines unfair and abusive acts and practices expansively, to reach conduct that could be considered unfair or abusive, but arguably not deceptive.  Additionally, it provides for enhanced civil penalties for unfair, deceptive, or abusive practices against “vulnerable persons,” including those under 18 or over 65, active duty servicemembers and veterans, physically or mentally impaired persons, and individuals with limited English proficiency.  The legislation provides for civil penalties of: (a)$5,000 per violation; or (b) for knowing or willful violations, the greater of $15,000 or three times the amount of restitution for each violation.

What To Do Now?

Businesses operating in New York can prepare for potential changes by reviewing current practices to identify those that might be considered unfair or abusive under the broader scope of the FAIR Act.  Additionally, they can:

  • Monitor the progress of this legislation and be prepared to adjust business practices accordingly, especially as state-level enforcement of consumer protection laws is likely to increase in response to reduced federal action​​​​​​​​​​​​​​​; and
  • Pay particular attention to practices that might affect “vulnerable persons” as defined in the legislation, as these could result in enhanced civil penalties.

California Attorney General Targets Location Data in New Investigative Sweep

This week California Attorney General Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act (CCPA). We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Attorney General Bonta’s office over the past 12-24 months.

The Notices of Violation issued by the Attorney General’s office will give rise to meaningful risks for many of the receiving businesses. We anticipate the Attorney General’s team will focus on granular technical details of data collection via mobile apps including through the third-party SDKs[1] that are ubiquitous across digital mobile products. How these and other digital analytics tools collect and transfer data, including precise location data, is often not well understood even by the internal digital marketing, data analytics, and product development teams that deploy and use the tools. This blind spot has created a zone of risk for many businesses that would not consider themselves a part of the “location data industry” referenced in the Attorney General’s announcement.

The interactions with the Attorney General’s office in these investigations and in enforcement proceedings can also change focus when the Attorney General’s staff suspects compliance gaps in other sensitive areas, such as use of mobile apps by children or in connection with healthcare or other sensitive activities. Careful and detailed internal legal/technical data flow analyses are therefore critical to quickly identifying the full scope of potential risk and framing the strategy for engaging with the Attorney General. For those businesses that have not received notices, this is another opportunity to close the gap between digital advertising, data analytics, and mobile app development and these emerging and increasingly clear legal privacy standards relating to precise location data and use of third-party SDKs in mobile apps.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from California’s privacy regulators.  We will continue to monitor developments in privacy regulatory enforcement in California and other states.

[1] “SDK” refers to a software development kit. These tools, many of which are free, are commonly used by mobile app teams to shorten app development timelines and quickly add features and functions to mobile apps.

_______________________________
Originally published March 12, 2025 on Alston & Bird’s Privacy, Cyber & Data Strategy Blog.

Consumer Finance State Roundup

The latest edition of the Consumer Finance State Roundup highlights recently enacted measures of potential interest from two states:

California:

Effective January 1, California Assembly Bill 3108 addresses mortgage fraud.  Previously, California law defined “mortgage fraud” to include, in connection with a mortgage loan transaction, filing with the county recorder any document that the person knows to contain a deliberate misstatement, misrepresentation, or omission, and with the intent to defraud.

Taking this a step further, the measure prohibits the filing of any document with the recorder of any county that a person knows to contain a material misstatement, misrepresentation, or omission. Further, the measure expressly provides that a mortgage broker or person who originates a loan commits mortgage fraud if, with the intent to defraud, the person takes specified actions relating to instructing or deliberately causing a borrower to sign documents reflecting certain loan terms with knowledge that the borrower intends to use the loan proceeds for other uses. For prosecution purposes, the alleged fraud value must be $950 or more (the threshold for grand theft).

A mortgage lender could unintentionally find itself guilty of mortgage fraud if it simply allows a borrower to use a business purpose loan for consumer purposes or makes a bridge loan that it knows will not be used for a dwelling. California’s Penal Code § 532f(b) makes it mortgage fraud for a mortgage broker or lender to allow mortgage-related documents to be formed and filed when the broker or lender has reason to know that the borrower intends on using the loan for purposes other than for what the loan is intended.

Although intent to defraud is an element to this crime, that element can only be determined through rigorous and time-consuming investigation. If a borrower, for example, uses a business loan for consumer purposes or does not apply the funds from a bridge loan towards a dwelling, the lender will be subject to additional scrutiny unless it can prove that all efforts were made to understand the borrower’s plans for the funds.

The measure also prohibits a person who originates a covered loan from avoiding, or attempting to avoid, the application of the law regulating the provision of covered loans by committing mortgage fraud. A “covered loan” means a consumer loan in which the original principal balance of the loan does not exceed the most current Fannie Mae conforming loan limit for a single-family first mortgage loan.

The measure also amends Section 4973 of the Financial Code, which imposes certain requirements ad restrictions (e.g., the inclusion of a prepayment fee or penalty after the first 36 months) in connection with covered loans and amends Section 532f of the Penal Code (as discussed above) in connection with the prohibition on committing mortgage fraud.

New York:

  • Effective June 11, Assembly Bill 424 amends Section 35 of the Banking Law, which relates to an information pamphlet that residential mortgage lenders must provide to applicants. In place of making a physical pamphlet available to lenders, the amended section requires the Department of Financial Services to notify mortgage bankers of the posting a digital version of the pamphlet on the Department’s website (and when it makes any changes thereto). The measure also amends the pamphlet contents to reflect that a lender may provide an applicant with a good faith estimate (instead of a loan estimate), depending on the type of loan for which the applicant is applying.
  • Effective May 15, Assembly Bill 2056 amends Section 283 of the Real Property Law, which limits the amount of flood insurance that a mortgagee may require a mortgagor to maintain. Under current law, that section provides that the maximum amount of coverage a mortgagee may require is the mortgage’s outstanding principal amount as of January 1 of the year the policy will be in effect. As amended, that section makes the maximum permitted amount of coverage the lesser of the outstanding principal amount or the residential property’s replacement. Additionally, AB2056 slightly alters the printed notice about flood insurance that a mortgagee must deliver to mortgagors, removing language referring to the fact that required coverage would only protect the interest of the lender or creditor in the property.
  • Effective March 21, New York Senate Bill 804 amends data breach notification requirements. Section 899-aa of the General Business Law requires a person or business to notify New York residents whose data is part of a breach, as well as to provide notice to certain governmental entities (including the Department of Financial Services). As amended, that section will require notification to the Department of Financial Services (in the form mandated by N.Y. Comp. Code R. & Regs. tit. 23, § 500.17) only by “covered entities.” A “covered entity” is any person who requires any type of authorization to operate under the Banking Law, Insurance Law, or Financial Services Law, and thus includes a mortgage banker or mortgage servicer.

Maryland Secondary Market Imperiled by Sweeping Regulatory Change Requiring Licensure for All Assignees of Mortgage Loans

What Happened?

A development with far-reaching consequences for the secondary market, on January 10, 2025, the Maryland Office of Financial Regulation (“OFR”) issued guidance that requires mortgage trusts and their assignees to be licensed in Maryland. The OFR based its guidance on its interpretation of the case, Estate of Brown v. Ward, 261 Md. App 385 (2024). The case involved a home equity line of credit (“HELOC”) that was made subject to Maryland’s credit grantor provisions. The court would not consider existing Maryland case law that provides that a securitization trust with a national bank trustee is not subject to licensing because those cases did not involve the credit grantor provisions. The OFR took the opposite approach and reached the conclusion that all assignees, including passive trusts of residential mortgage loans are subject to licensing. OFR issued regulations to accompany the guidance, which are effective immediately, but enforcement will be delayed until April 10, 2025.

The OFR’s unduly expansive interpretation of Estate of Brown and its mandate that all assignees of residential mortgage loans be licensed under the Mortgage Lender Law (“MLL”) or Installment Loan Law (“ILL”) is a radical departure of how Maryland regulates secondary market assignees of residential mortgage loans. Prior to this change, the licensing requirements of both the ILL and the MLL applied exclusively to original creditors and primary market participants, such as brokers and servicers, not their assignees. Up to now, the OFR did not require secondary market purchasers of loans, trusts, and other securitization vehicles to obtain licenses in Maryland. However, the guidance would appear to require licensing for all subsequent assignees, including whole loan purchasers, trusts and other special purpose entities, absent an exemption. This licensing requirement will create a logistical nightmare for the secondary market, especially securitization trusts, and unless Estate of Brown is reversed by the Maryland Supreme Court and the OFR’s regulation and guidance is withdrawn, it could adversely impact the availability of credit to Maryland consumers. While the OFI has suspended enforcement of the regulations until April, the regulations apply to impacted entities as of January 10, 2025. Therefore, these entities should not foreclose on Maryland residential loans without first obtaining an MLL license.

The Maryland Appellate Court Decides Trusts and Other Assignees of Certain Loans Must Be Licensed

In Estate of Brown, a Delaware statutory trust acquired a HELOC on residential real property located in Maryland and sought to foreclose. The personal representative to the borrower’s estate raised several challenges to foreclosure, including that the trust was not properly licensed as the assignee of the HELOC. On appeal from dismissal of those challenges, the appellate court of Maryland reversed and held that the licensing requirements under the Credit Grantor Revolving Credit Provisions (“OPEC”) apply not only to original credit grantors but also to assignees of revolving credit plans. The OPEC subtitle provides that “[a] credit grantor making a loan or extension of credit under this subtitle is subject to [] licensing ….”

The underlying HELOC included an election stating that “[t]his loan is made under Subtitle 9, Credit Grantor Revolving Credit Provisions of Title 12 of the Commercial Law Article of the Annotated Code of Maryland.” The court held that persons, including the Delaware statutory trust, that acquire revolving credit plans made under OPEC are subject to the licensing requirements of that subtitle.

The Maryland appellate court reasoned that OPEC defines a “credit grantor” to include any person who acquires or obtains the assignment of a revolving credit plan made under OPEC. The Court opined that an assignee inherits the rights and obligations of the original lender, including the duty to be licensed.

Maryland Office of Financial Regulation (“OFR”) Seeks to Expand the Maryland Appellate Decision

Although Estate of Brown dealt solely with OPEC, there is also a companion statute for Credit Grantor Closed End Credit Provisions (“CLEC”) found at Md. Code, CL § 12-1001, et seq. Like OPEC, under CLEC, a license is required under ILL and/or MLL, unless exempt, for a credit grantor making a closed-end loan or extension of credit under CLEC. In both instances, the licensing requirement is only triggered if the loan is expressly made under OPEC or CLEC. In order for a loan to be subject to OPEC or CLEC, the lender ordinarily makes a written election to do so in the agreement, note, or other evidence of the extension of credit. Md. Code Ann., Com. Law §§ 12-913; 12-1013.

In industry guidance issued by OFR, noting the identical licensing obligations under the two statutes, OFR concluded that a license is required for an assignee of both an OPEC and a CLEC loan. However, OFR also took the extraordinary step of stating that a license is required for ANY assignee of a mortgage loan, even if no OPEC or CLEC election is made. OFR concluded as much despite the Estate of Brown case relying on the licensing requirement applicable to credit grantors, as that term is defined by OPEC and CLEC. The court in Estate of Brown expressly stated that it did not matter that MLL does not impose an independent licensing obligation on an assignee because the “licensing argument is founded entirely on the Credit Grantor Revolving Credit Provisions subtitle. Specifically, [the argument] relies on CL § 12-915 as the source of the licensing obligation.” While OPEC and CLEC define credit grantors to include assignees, the definition of lender for both ILL and MLL is limited to the person making a loan. For example, MLL only requires a license for a “mortgage lender” which is defined as any person who: (1) is a mortgage broker; (2) makes a mortgage loan to any person; or (3) is a mortgage servicer. Md. Code, FI § 11- 501(k)(1). Clearly, an assignee of a loan is not included in the definition of a mortgage lender.

The Guidance and Emergency Regulations

OFR states that persons that acquire or obtain assignments of any mortgage loan, including but not limited to mortgages made under OPEC or CLEC, are subject to licensing, absent an exemption under the ILL and MLL. However, an entity licensed under the MLL and engaged solely in mortgage lending business does not also need an ILL.

In addition to guidance, OFR promulgated emergency regulations applicable to MLL licensing. The regulations define “passive trusts” to include mortgage trusts that acquire, but do not originate, broker, or service, mortgage loans and allow a passive trust to designate the trustee, or a principal officer of the trustee if the trustee is not a natural person, as the passive trust’s qualifying individual. The regulations also allow a passive trust to satisfy the statutory net worth requirement by providing evidence of assets, such as securitized mortgage pools, that will be held within 90 days of licensure.

Why Does it Matter?

The guidance is troubling for several reasons. First, it is inconsistent with the law. Across the nation, secondary market participants recognize that a license is only required if the licensing statute specifically applies to assignees, but the OFR has upended this long held convention by boldly proclaiming that all assignees must carry the same licenses that are required of originators. As a result, based on regulations from OFR, it now appears that all assignees of mortgage loans must obtain a Mortgage Lender License, unless exempt.

Second, its rationale is not limited to mortgages. Although the guidance focuses on mortgage loans, and the regulations only address the MLL, the interpretation suggests that assignees of installment loans must also obtain an Installment Lender License. While the guidance suggests that a license under the ILL will be needed at least for an entity obtaining installment loans, unlike the MLL, there are no corresponding regulatory amendments signaling how a trust may comply with the licensing provisions of the ILL.

Third, it is not clear if an assignee of a mortgage loan could need another license. The OFR’s guidance indicates that an entity licensed under the MLL, and solely engaged in mortgage lending, does not need an ILL license. While it appears that OFR intends for an assignee of mortgage loans to only obtain an MLL license, “mortgage lending” is defined narrowly. A passive holder of mortgage loans would not be engaged in lending, brokering, or servicing as those terms are defined by the MLL. Accordingly, an assignee who is not making, brokering, or servicing mortgage loans is arguably not engaged in mortgage lending, leaving open the possibility that secondary market participants could need to obtain both licenses rather than just the MLL license.

Overall, the licensing process is onerous. Trusts will need to designate a principal officer who meets qualifications such as having three years of experience in mortgage lending. The officer will also be subject to a credit report check, a criminal background check (including fingerprinting), and must submit a resume. Additionally, trusts must obtain a surety bond, register as a foreign entity in Maryland, and provide a business volume statement for the past 12 months. These requirements may impose significant costs and administrative burdens, particularly if bank trustees must become involved. Additionally, licensees are subject to the substantive requirements set forth in the applicable law and regulations.

The OFR’s actions are part of a growing assertiveness by state and federal governments to regulate the secondary market and trusts in particular. For example, the CFPB has successfully asserted the power to investigate and bring enforcement actions directly against securitization vehicles and on October 1, 2024 settled a long standing action against National Collegiate Student Loan Trusts (“NCSL Trusts”), as well as the Pennsylvania Higher Education Assistance Agency (“PHEAA”), the primary student loan servicer for active student loans held by the NCSL Trusts, arising in connection with the NCSL Trusts’ and PHEAA’s alleged improper servicing practices.

What Do I Need to Do?

 Trusts and any entity that acquires Maryland loans should review their portfolios to determine if a license is required under the MLL and/or ILL. Notably, the licensing requirement is effective as of January 10, 2025, although enforcement is paused through April 10, 2025. During this period, entities should become familiar with what it means to be a licensee and gain familiarity with the mortgage lender application requirements that require, among other things, the appointment of a “qualifying individual” who has three years’ experience in mortgage lending.

Industry participants and trade groups should work together closely to advocate against these startling changes, provide comments to the OFR’s regulations, and provide additional pushback against this attempted regulatory overreach.

Alston & Bird’s Consumer Financial Services Team is actively engaged and monitoring these developments and is able to assist with any compliance concerns regarding these sweeping changes to Maryland law.

New York Passes New Removal Procedures for Officers, Directors, Trustees, and Partners of Any Entity Regulated by Department of Financial Services

What Happened?

On December 21, 2024, New York Governor Kathy Hochul, signed into law, S7532, which repealed the existing section of the Banking Law addressing the removal of officers, directors, and trustees of banking organizations, bank holding companies and foreign banks (“covered individuals”), and enacted a new section providing a clearer process for removing such individuals and expanding the scope of the removal authority to apply to all entities regulated by the New York Department of Financial Services (“the Department”).

Repealed Section:

The former provisions regarding the removal of covered individuals were limited to banking organizations, bank holding companies, and foreign banks.

The Superintendent of the Department (“the Superintendent”) was authorized to bring an action to the Banking Board (“the Board”) to remove an officer, director, or trustee whenever it found that such individual:

  • violated any law or regulation of the Superintendent of financial services, or
  • “continued unauthorized or unsafe practices . . . after having been ordered or warned to discontinue such practices.”

Note that the Banking Board has not existed since the Department of Financial Services was created in 2011.

The Board would then serve notice of the action to the covered individual to appear before the Board to show why they should not be removed from office. A copy of this notice would be sent to each director or trustee of the banking organization and to each person in charge of and each officer of a branch of a foreign banking corporation.

If after a three-fifths vote by the Board members the Board found that the individual committed such violations, an order would be issued to remove the individual from office.

The removal became effective upon service of the order. The order and findings were not made public, and were only disclosed to the removed individual and the directors or trustees of the banking organization involved. Any such removed individual that participated in the management of such banking organization without permission from the Superintendent would be guilty of a misdemeanor.

Newly Enacted Section:

The new provision expands the removal authority of the Superintendent to apply to all entities regulated by the Department (“covered entities”), including: banks, trust companies, limited purpose trust companies, private banks, savings banks, safe deposit companies, savings and loan associations, credit unions, investment companies, bank holding companies, foreign banking corporations, licensed lenders, licensed cashers of checks, budget planners, mortgage bankers, mortgage loan servicers, mortgage brokers, licensed transmitters of money, and student loan servicers.

The Superintendent is authorized to bring an action to remove such individuals whenever it finds reason to believe that they:

  • caused, facilitated, permitted, or participated in any violation by a covered entity of a law or regulation, order issued by the Superintendent or any written agreement between such covered entity or covered individual and the Superintendent;
  • engaged or participated in any unsafe or unsound practice in connection with any covered entity; or
  • engaged or participated in any willful material act or omitted to take any material act that directly contributed to the failure of a covered entity.

The notice and hearing provisions were changed to allow the Superintendent to serve a statement of charges against the covered individual and a notice of an opportunity to appear before the Superintendent to show cause why they should not be removed from office. A copy of such notice must now be sent to the affected covered entity, instead of the directors or trustees of the covered entity and persons in charge of foreign bank branches.

Additionally, the threshold for removal was changed. Instead of being removed by a three-fifths vote of a board that no longer exists, the covered individual may be removed if, after notice and hearing: (1) the Superintendent finds that the covered individual has engaged in the unlawful conduct, or (2) if the individual waives a hearing or fails to appear in person or by authorized representative.

The order of removal is effective upon service to the individual. The order must also be served to any affected covered entity along with the statement of charges. The order remains in effect until amended, replaced, or rescinded by the Superintendent or a court of competent jurisdiction. Such removed individual is prohibited from participating in the “conduct of the affairs” of any covered entity unless they receive written permission from the Superintendent. If the individual violates such prohibition, they are guilty of a misdemeanor.

Furthermore, the Superintendent is now authorized to suspend the covered individual from office for a period of 180 days pending the determination of the charges if the Superintendent has reason to believe that:

  • a covered entity has suffered or will probably suffer financial loss that impacts its ability to operate in a safe and sound manner;
  • the interests of the depositors at a covered entity have been or could be prejudiced; or
  • the covered individual demonstrates willful disregard for the safety and soundness of a covered entity.

The suspension may be extended for additional periods of 180 days if the hearing is not completed within the previous period due to the request of the covered individual.

Why Does it Matter?

Prior to the update, the Superintendent only had the power to remove individual officers, directors, or trustees from office in various bank organizations. The new law expands this removal power to all entities regulated by the Department.

The amended statute creates an additional penalty for individuals who caused, facilitated, permitted, or participated in the violation of the Banking Law in their positions of power of a regulated entity. Such individuals may be removed from their positions and prohibited from participating in the management of any regulated entity, until they receive written permission from the Superintendent. If they violate the prohibition, they are guilty of a misdemeanor, which can be punished by imprisonment for up to 364 days or by a fine set by the Superintendent.

What Do I Need To Do?

Entities regulated by the Department that are now covered under this section should be aware that violations of law by a licensee may also lead to the removal of certain high-level individuals within the organization. If removed, such individuals would also be prohibited from managing any regulated entity until the Superintendent provides written permission to do so. Affected entities and individuals should take care to ensure compliance with the law to avoid these new penalties.