Alston & Bird Consumer Finance Blog

State Law

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

By , , ,

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

  • Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09.  The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
    • In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
  • Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
    • For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
  • Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
  • Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year.  Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification.  Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)).  It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
  • Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation.  DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

Georgia, Florida, Connecticut Enact Commercial Financial Disclosure Laws

By ,

A&B Abstract:

Georgia, Florida, and Connecticut are among a growing list of states, including California, New York, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. These laws are part of a burgeoning trend by state legislatures to impose burdensome disclosures, like those required by the federal Truth in Lending Act (TILA), on providers of small-balance commercial loans and financings. These laws apply to business-purpose transactions but not to transactions having a consumer, family, or household purpose.

The Georgia Law

On May 1, 2023, Georgia amended its Fair Business Practices Act to require certain providers of commercial financings of $500,000 or less to furnish various disclosures to small-business borrowers before the consummation of the transactions. The statute, known as Senate Bill 90, applies to covered commercial financings consummated on or after January 1, 2024.

The Georgia law requires providers of commercial credit in amounts of $500,000 or less to provide TILA-like disclosures to small-business borrowers before the consummation of the transaction but does not specify the time period. The Georgia law defines “provider” as “a person who consummates more than five commercial financing transactions” in Georgia during any calendar year, including participants in commercial purpose marketplace lending arrangements. “Commercial financing transactions” include both closed-end and open-end commercial loans as well as accounts receivable purchase transactions but do not include real-estate-secured transactions.

Exemptions

The Georgia law exempts federally insured depository institutions and their subsidiaries, affiliates, and holding companies; Georgia-licensed money transmitters; captive finance companies; and institutions regulated by the federal Farm Credit Act. The law also exempts purchase money obligations.

Required Disclosures

The Georgia law requires providers of commercial financing transactions to furnish the following information prior to consummation:

  • Total funds provided to the business.
  • Total funds disbursed.
  • Total amount paid to the provider.
  • Total dollar cost of the transaction.
  • Payment schedule.
  • Costs associated with prepayment.

Penalties

Providers who violate these disclosure requirements face civil penalties ranging from $500 per violation to $20,000 with possible additional penalties for continued violations. Notably, violations do not affect the enforceability of the transactions, and there is no private right of action under the law.

The Florida Law

On June 26, 2023, Florida enacted the Florida Commercial Financing Disclosure Law, which requires covered providers to furnish consumer-oriented disclosures to businesses for certain commercial non-real-estate-secured financing transactions exceeding $500,000. The Florida law takes effect July 1, 2023 and becomes mandatory for transactions consummated on or after January 1, 2024.

The Florida law applies to providers of commercial financing transactions and defines “provider” as a “person who consummates more than five commercial financings” in Florida during any calendar year. “Commercial financing transactions” include commercial loans, open-end lines of credit, and accounts receivable purchase transactions. The Florida law exempts the following entities and transactions: federally insured depository institutions, their subsidiaries, affiliates, and holding companies; licensed money transmitters; real-estate-secured loans; loans exceeding $500,000; leases; and certain purchase money transactions.

Required Disclosures

The provider is required to disclose in writing the following at or before the consummation of a commercial financing transaction:

  • The total amount of funds provided to the business.
  • The total amount of funds disbursed to the business if less than the total amount of funds provided because of any fees deducted or withheld at disbursement and any amount paid to a third party on behalf of the business.
  • The total amount to be paid to the provider.
  • The total dollar cost of the commercial financing transaction, calculated by subtracting the total amount of funds provided from the total amount of the payments.
  • The manner, frequency, and amount of each payment or, if there are variable payments, an estimated initial payment and the methodology used for calculating it.
  • Certain information about prepayments.

Prohibited Acts

The Florida law prohibits a broker arranging a consumer financing transaction from engaging in any of the following acts:

  • Assessing, collecting, or soliciting an advance fee from a business to provide services to a broker. However, this prohibition would not preclude a broker from soliciting a business to pay for, or preclude a business from paying for, actual services necessary to apply for commercial financial products, such as a credit check or an appraisal of security, if certain conditions are met.
  • Making or using any false or misleading representations or omitting any material facts in the offer or sale of the services of a broker or engaging in any act that would “operate as fraud or deception upon any person in connection with the offer or sale of the services of the broker, notwithstanding the absence of reliance by the business.”
  • Making or using any false or deceptive representations in its business dealings.
  • Offering the services of a broker by any advertisement without disclosing the actual address and telephone number of the business of the broker.

Penalties 

Like the Georgia law, the Florida law punishes violations with civil fines ranging from $500 per incident to $20,000 with possible additional penalties for “aggregated violations.” Notably, violations do not impair the enforceability of the transactions or create a private right of action.

The Connecticut Law

On June 28, 2023, Connecticut enacted “An Act Requiring Certain Financing Disclosures,” which requires (1) lenders offering certain types of commercial purpose “sales-based financing” in amounts of $250,000 or less to provide specified consumer-like disclosures to applicants; and (2) mandates that lenders offering such credit register annually with the Connecticut Department of Banking starting by October 1, 2024. The Connecticut law authorizes the state banking commissioner to adopt promulgating regulations, and the law takes effect on July 1, 2024.

The Connecticut law applies to providers of commercial financings and defines “provider” as “a person who extends a specific offer of commercial financing to a recipient and includes, unless otherwise exempt … a commercial financing broker.”

“Commercial financing” means any extension of sales-based financing by a provider not exceeding $250,000. Under the statute, “sales-based financing” is a “transaction that is repaid by the recipient to the provider over time” (1) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the recipient’s sales or revenue, or (2) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue.

Notably, the Connecticut law exempts the following entities and transactions:

  • Banks, bank holding companies, credit unions, and their subsidiaries and affiliates.
  • Entities providing no more than five commercial financing transactions in a 12-month period.
  • Real-estate-secured loans.
  • Leases.
  • Purchase money obligations.
  • Technology service providers acting for an exempt entity as long as they do not have an interest in the entity’s program.
  • Transactions of $50,000 or more to motor vehicle dealers or rental companies.
  • Transactions offered in connection with the sale of a product that the person manufactures, licenses, or distributes.

Required Disclosures

The Connecticut law requires that before making a “specific offer” (i.e., a binding offer of credit) providers must furnish certain disclosures to borrowers, in a form prescribed by the state banking commissioner, including:

  • The total amount of the commercial financing.
  • The disbursement amount, which is the amount paid to the recipient or on the recipient’s behalf, excluding any finance charges that are deducted or withheld at disbursement.
  • The finance charge.
  • The total repayment amount, which is the disbursement amount plus the finance charge.
  • The estimated repayment period.
  • A payment schedule.
  • A description of fees not included in the finance charge such as draw fees, and late charges.
  • A description of any collateral requirements.
  • Information about brokerage compensation.

The Connecticut banking commissioner is expected to promulgate implementing regulations and model disclosures before the effective date of July 1, 2024.

Registration Requirement

The Connecticut law requires providers and brokers to register with the state banking commissioner by October 1, 2024 and to qualify to “do business” in the state. The registration must be renewed annually.

Penalties

The statute authorizes the banking commissioner to impose civil penalties of up to $100,000 for violations of the law as well as enjoin those violating the statute.

Takeaway

The three state laws recently enacted in Georgia, Florida, and Connecticut are part of a growing trend among states to regulate small-balance commercial non-real-estate-secured loans. The burdens imposed by the laws will be the lenders’ cross to bear unless they can avoid triggering the coverage of the statutes.

Consumer Finance State Roundup

By

The pace of legislative activity from this year’s current session can make it hard to stay abreast of new laws.  The Consumer Finance ABstract’s “Consumer Finance State Roundup” is intended to provide a brief overview of recently enacted measures of potential interest.  

During this current legislative session, the following three states have enacted measures of potential interest to Consumer Finance ABstract readers:

  • Colorado:  Effective August 8, 2023, Senate Bill 248 (2023 Colo. Sess. Laws 360) amends collection agency licensure requirements under the Colorado Fair Debt Collection Practices Act.  First, the measure amends Section 5-16-119 of the Colorado Revised Statutes to allow licensees to work from remote locations under certain conditions.  Specifically, the licensee must: (a) ensure that no in-person customer interactions are conducted at the remote location; (b) not designate the remote location as a business location to the consumer; (c) maintain appropriate safeguards for licensee data and consumer data, information, and records, including utilizing a secure VPN for secure access; (d) employ appropriate risk-based monitoring and oversight processes of work performed from a remote location that includes maintaining records of the monitoring and oversight processes; (e) ensure that consumer information and records are not maintained at a remote location; (f) provide appropriate employee training to ensure employees keep conversations confidential about and with consumers that are conducted from a remote location, and ensure that employees work in an environment that is conducive to ensure privacy and confidential conversations; and (g) ensure that consumer and licensee information and records are available for regulatory oversight and examination.  Second, the measure defines “remote location” as “a private residence of an employee of a licensee or another location selected by the employee and approved by the licensee.”
  • Colorado:  Effective June 7, 2023, House Bill 1266 (2023 Colo. Sess. Laws 440) amends the reverse mortgages provisions of the Colorado Revised Statutes to address an exception to repayment requirements of reverse mortgage transactions when a subject property is uninhabitable.  First, the measure defines the term “force majeure” in Section 11-38-102, describing certain criteria that would designate a subject property as uninhabitable as a principal residence of the reverse mortgage borrower.  Second, the measure amends Section 11-38-107 to create exceptions to repayment requirements of a reverse mortgage transaction when a home is not occupied due to a “force majeure”.   When the home is temporarily uninhabitable, the measure establishes that the reverse mortgage will not become due and payable to the lender (to the extent allowable by HUD’s regulations and policies), provided that all of the following conditions are met:  (a) the borrower must be engaged in repairing the home with the intent to reoccupy the home as a principal residence, or must sell the home; (b) the borrower must stay in communication with the lender while the home is being repaired and must reasonably respond to any lender inquiries; (c) the borrower must comply with all other terms and conditions of the reverse mortgage; and (d) the repairing or rebuilding of the home must not reduce the lender’s security.  Further, the amended section requires the lender to disclose these requirements to the borrower at closing.
  • Nebraska:  Effective June 7, 2023, Legislative Bill 92 amends various provisions of the Nebraska Revised Statutes, including the Nebraska Residential Mortgage Licensing Act (the “Mortgage Act”) and the Nebraska Installment Loan Act (the “Installment Act”).  First, the measure amends Section 45-735 under the Mortgage Act, to authorize the Department of Banking and Finance (“Department”) to adopt and promulgate rules, regulations, and orders to regarding the use of remote work arrangements conducted outside of a main office location or branch office by employees or agents, including mortgage loan originators, of licensed mortgage bankers, registrants, or installment loan companies.  (Current law prohibits a mortgage loan originator from conducting mortgage loan origination activities at any location that is not the main office of a licensed mortgage banker, registrant, or installment loan company, or a branch office of a licensed mortgage banker or registrant.)  Second, the measure amends the Installment Act by: (a) in Section 45-1002, adding definitions for the terms “consumer” and “loan”; (b)in Section 45-1003, adding a licensure requirement  for persons that are not financial institutions; and (c) in in Section 45-1006, permitting the Director of the Department to waive hearing requirements for any applicant that does not originate loans under the statute.
  • Texas:  Effective September 1, 2023, House Bill 219 adds provisions relating to lien release to Chapter 343 of the Texas Finance Code.  First, this measure requires that no later than the 60th day after receiving the correct payoff amount for a home loan from a mortgagor, a mortgage servicer or mortgagee must: (a) deliver to the mortgagor a release of lien for the home loan; or (b) file the release of lien with the appropriate county clerk’s office for recording in the real property records of the county.  Second, the measure requires a mortgage servicer or mortgagee to deliver or file the release of lien not later than the 30th day after receipt of the written request from the mortgagor, if on or before the 20th day after the date of the home loan payoff, the mortgagor delivers a written request to the mortgage servicer or mortgagee for the release of lien to be delivered to the mortgagor or filed with the county clerk.  Third, the measure requires a mortgage servicer or mortgagee to comply with these new requirements only if the entity has the authority to deliver or file a release of lien for the home loan. Fourth, in the event of a conflict between the new requirements and a home loan agreement entered prior to the measure’s effective date, the provisions of the home loan agreement would prevail.  Fifth, the measure provides relevant definitions, namely:  (a) that the terms “mortgage servicer”, “mortgagee” and “mortgagor” have the same meaning as under  Section 51.0001 of the Texas Property Code; and (b) the term “release of lien” means “a release of a deed of trust or other lien securing a home loan”.

 

Consumer Finance State Roundup

By

The pace of legislative activity from this year’s current session can make it hard to stay abreast of new laws.  The Consumer Finance ABStract’s “Consumer Finance State Roundup” is intended to provide a brief overview of recently enacted measures of potential interest.  For this first installation, we are including additional measures enacted during the current legislative session that will take effect in short order:

During this current legislative session, the following five states have enacted measures of potential interest to Consumer Finance ABstract readers:

  • Arkansas:  Effective July 31, 2023, House Bill 1439 (2023 Ark. Acts 325) amends the Fair Mortgage Lending Act to clarify the sponsorship process and amend licensing requirements.  First, the measure defines the term “[s]ponsor” to mean “a mortgage broker or mortgage banker licensed under [the Act] that has assumed the responsibility for and agrees to supervise the actions of a loan officer or transitional loan officer.”  Second, the measure clarifies that the termination of a sponsorship of a loan officer or transitional loan officer license under the Act extinguishes the right of that individual to engage in any mortgage loan activity.  Finally, the measure amends provisions related to renewal of a loan officer license to change a license status from “approved-inactive” to “approved” so long as, prior to the loan officer license termination, a licensed mortgage broker or mortgage banker meets certain requirements.

 

  • Arkansas:  Effective July 31, 2023, Senate Bill 321 (2023 Ark. Acts 360) amends provisions of the Arkansas Code relating to collection agencies.  Among other provisions, the measure amends Section 17-24-101 to clarify that the term “collection agency” means any person or entity that “(1) Engages in the collection of delinquent accounts, bills, or other forms of indebtedness owed or due or asserted to be owed or due to another; (2) Uses a fictitious name or any name other than its own to collect their own accounts receivable; (3) Solicits claims for collection; or (4) Purchases and attempts to collect delinquent accounts or bills.”

 

  • Montana:  Effective July 1, 2023, House Bill 30 (2023 Mont. Laws 4) amends the Montana Mortgage Act (“Act”) to adopt prudential standards for non-bank mortgage servicers and allow remote work for mortgage loan originators (“MLOs”), among other provisions.  First, the measure establishes capital and liquidity requirements for servicers. Second, the measure requires certain entities (that are “covered institutions”) to establish and maintain corporate governance standards, including for internal and external audits and risk management.  Third, the measure amends the definition of “mortgage servicer” to add the servicing of forward mortgages and home equity conversion mortgages or reverse mortgages for receiving payments. Fourth, the measure requires a licensee under the Act to have one MLO serve as a designated manager responsible for mortgage origination activity across the entire entity;.  Finally, the measure requires a licensee under the Act to file a written report with the Department of Administration within 15 business days after learning of a cybersecurity incident affecting business operations or potentially exposing personal information of customers.  For a detailed summary analysis on the measure’s provisions addressing remote work by MLOs, please see our previous post.

 

  • North Dakota:  Effective August 1, 2023, Senate Bill 2090 amends the North Dakota Code with respect to the licensing of residential mortgage lenders and money brokers.  First, the measure enacts a new Chapter 13-12 of the North Dakota Century Code to address the licensing of residential mortgage lenders.  Under current law, mortgage lender licensing falls within the scope of the money broker statutes in Chapter 13-04 of the Code.  Second, the measure provides that any residential mortgage lender that holds a valid North Dakota money broker license as of August 1, 2023, will not be required to obtain a residential mortgage lender license under new Section 13-12-03 until December 31, 2023.

 

  • Ohio:  Effective December 29, 2023, Senate Bill 131 (2022 Ohio Laws 156) amends mortgage (and other industry) licensing standards to address license reciprocity requirements.  Under the Ohio Residential Mortgage Lending Act (Ohio. Rev. Code § 1322.01 et seq.), the measure provides for an applicant to obtain a registration for a mortgage lender or broker or a license for a mortgage loan originator (“MLO”) by reciprocity under Section 1322.10 or Section 1322.21, respectively, of the Ohio Revised Code if the applicant: (i) holds a license or certificate of registration in another state; or (ii) has satisfactory work experience, a government certification, or a private certification (as described in that chapter) as a mortgage broker, mortgage lender, or MLO in a state that does not issue that license or certificate of registration.

 

  • Virginia:  Effective July 1, 2023, House Bill 2389 (2023 Va. Acts 573) amends provisions of the Mortgage Lenders and Mortgage Brokers Act (Va. Code Ann. § 6.2-1600 et seq.) to permit licensed mortgage lenders and mortgage brokers to allow employees and exclusive agents to work from a remote location provided that certain criteria are met.   Specifically, the measure adds to Section 6.2-1607 a list of conditions that must be met in order for a licensee’s employees to work from a remote location, including that: (a) the licensee has written policies and procedures for the supervision of employees or exclusive agents working from a remote location; (b) access to the licensee’s platforms and customer information through a VPN or comparable system, and is in accordance with the licensee’s comprehensive written information security plan; (b) no in-person customer interaction occurs at an employee’s or exclusive agent’s residence, unless such residence is an approved office; and (d) the licensee employs appropriate risk-based monitoring and oversight processes, and any employee or exclusive agent who works from a remote location must comply with the licensee’s established practice.

 

CFPB Issues Preemption Determination that State Commercial Financing Disclosure Laws Are Not Preempted By TILA

By ,

A&B Abstract:

The Consumer Financial Protection Bureau (CFPB) recently announced that it issued a final preemption determination concluding that certain state disclosure laws applicable to commercial financing transactions in California, New York, Utah, and Virginia are not preempted by the federal Truth in Lending Act (TILA). As covered in a previous post, we note that the California, Utah, and Virginia laws have already gone into effect, and New York’s is set to become effective on August 1, 2023.

State Commercial Lending Laws

After examining the state disclosure laws in California, New York, Utah, and Virginia, the CFPB recently affirmed that there is no conflict with TILA because the state laws extend disclosure protections to businesses seeking commercial financing, which are beyond the scope of TILA’s statutory consumer credit protections.  Specifically, the CFPB determined that TILA only preempts state laws under conflict preemption, which the CFPB interprets to mean that TILA preempts state laws only if they are “inconsistent” with TILA.

In California, New York, and Utah, state laws require lenders to issue disclosures in certain commercial financing transactions, the purpose of which is generally defined to mean primarily for other than personal, family, or household purposes.  This is in contrast to TILA’s application to consumer credit, which is extended primarily for personal, family, or household purposes.  In December 2022, the CFPB made a preliminary determination that New York’s commercial financing disclosure law was not preempted by TILA because the state law regulates commercial financial transactions rather than consumer-purpose transactions.

In Virginia, disclosures are required in connection with “sales-based financing,” which is defined generally as a transaction in which the financing is repaid by the recipient based on a percentage of sales or revenue.  “Recipient” means a person whose principal place of business is in Virginia and that applies for sales-based financing and is made a specific offer of sales-based financing by a sales-based financing provider.  Based on these definitions, it appears that the Virginia law would not apply to a consumer credit transaction.  However, the CFPB generally noted that, to the extent state law could apply to a consumer credit transaction, there would still be no inconsistency with TILA.

Accordingly, the CFPB found that the four states’ commercial financing disclosure laws are not inconsistent with and, therefore, not preempted by the federal TILA.

Takeaway

As states continue to propose and enact similar laws requiring disclosures in commercial financing transactions, an argument that federal law preempts such state laws is unlikely to succeed.  Thus, companies should monitor ongoing state regulatory trends in commercial financing transactions to ensure compliance with the consumer-style disclosure requirements that may apply.