Why Can't We Be Friends? Congress May Resolve the Agency Turf War Over Crypto
In the ever-heated debate surrounding regulatory authority of crypto assets, Senators Lummis's and Gillibrand's Responsible Financial Innovation Act would require inter-agency cooperation between both federal agencies and federal and state agencies related to cryptocurrency.
The Act would provide the CFTC with broad regulatory authority by defining most "crypto assets" as commodities and creating the presumption that "ancillary assets" are also commodities. It also provides a regulatory framework for the IRS, increases FinCEN's enforcement duties, and seeks cooperation between all regulatory agencies related to crypto. The bill would even give authority over stablecoins to the Office of the Comptroller of the Currency. The SEC's authority would be limited to crypto assets that provide a clear financial interest in a business entity to an investor. That is a much more limited role over crypto than the SEC currently believes it has.
The Act seeks to regulate both centralized and decentralized crypto asset exchanges as "Futures Commission Merchants" with a laundry list of requirements. The exchanges would have to: register with the CFTC as a crypto asset exchange; confirm ancillary assets meet disclosure requirements before listing the asset; comply with core exchange principles; safeguard customer assets; monitor trading; prevent market manipulation; and report price and trade volume of crypto assets. In addition, exchanges must implement risk management standards for customers. The CFTC would also adopt risk-management standards for self-hosted wallets that interact with exchanges.
Congress' attempt to create rule and order in crypto through cooperation and fair distribution of regulatory duties calls to mind War's classic song "Why Can't We Be Friends?" It also might be a long shot to actually be enacted. If it does become law, most of the regulators would be singing Kumbaya, while the SEC is left out of the clique, Mean Girls style. But, at least they're trying, which is far better than the blatant refusal to provide guidance we've experienced these past few years—here's looking at you, SEC.
This isn’t a red pill/blue pill situation. There are some dangerous pitfalls with summarily categorizing all crypto assets as commodities as long as they don't have interest in business entities. While this bill would take a decent first step towards regulation, anyone in the crypto space knows that only more legislation is on the horizon.
Fee Fallin'–Insufficient Funds Fees Now in the Crosshairs
After shining its spotlight on credit card late fees for many months, CFPB is turning its attention to another "junk" fee, the one charged by depository institutions for initiating a transaction with insufficient funds, also known as NSF ("non-sufficient funds") fees. CFPB joined forces with the OCC to fine Bank of America $120 million over its NSF practices, as well as an additional $30 million related to its practice of opening accounts not requested by customers and withholding promised credit card rewards. The agencies ordered the bank to refund consumers more than $80 million in NSF fees charged between 2018 and 2022. No laws prohibit banks from charging NSF fees when a customer authorizes a transaction without sufficient funds to pay the transaction. CFPB alleged the bank's practice was unfair because it charged customers multiple fees for the same declined transaction where the merchant resubmitted it.
Some banks are pushing back against the regulatory crackdown on NSF fees. The Minnesota Bankers Association and Lake Street Bank sued the FDIC this month, alleging the agency exceeded its authority in actions similar to CFPB's regarding NSF fees. Last August, the agency issued supervisory guidance stating its view that charging multiple NSF fees for the same declined transaction was an unfair and deceptive practice. The lawsuit against the FDIC alleges largely procedural violations, namely that the agency does not have the authority to prohibit unfair and deceptive practices by rulemaking and should have gone through a formal rulemaking process to address the issue.
CPFB has had some success in its campaign to reduce the fees that banks charge consumers, most notably in getting many credit card companies to voluntarily eliminate or reduce fees for late payments. You might even say that bank fees are…♪ free fallin' ♪, thanks to CFPB. (♫ She's a good girl, loves her Mama, loves bank fees, and America too.♫ Are those the right lyrics?) Now, it's turning its attention to NSF fees and back to one of its favorite large bank targets, Bank of America. The fine levied is enormous: $120 million between CFPB it's the OCC, related to its NSF fees. CFPB also took the unusual step of publishing a separate blog post informing affected customers how to get refunds from the bank. And while the Minnesota Bankers' challenge to the FDIC's rule on NSF fees has some merit, the challenges are mostly procedural, not substantive.* Our advice to consumer finance companies is to be extremely careful about any and all fees charged to consumers, particularly penalty fees. Ensure that disclosures are clear and accurate and that fees aren't charged multiple times for the same violation.
*The Minnesota Bankers allege that the FDIC's supervisory guidance was illegal because it essentially enacted a substantive rule without going through the formal rulemaking process. Announcing policy changes through guidance is a favorite tactic of CFPB under Rohit Chopra, but we have not seen many lawsuits over it, yet. It will be interesting to see if CFPB is chastened by the suit or whether other companies affected by CFPB tactics are emboldened to file similar suits.
One of These Things is Not Like the Other–Two States Adopt Laws Specific to Earned Wage Access (EWA)
Nevada and Missouri each passed legislation this summer creating a regulatory regime specific to earned wage access (EWA) programs, which allow employees to access wages earned before payday. Both states' laws establish that EWA products are not credit and therefore not subject to existing lending laws. Providers in either state do not need money transmission or lending licenses, but in Missouri they will have to register, and in Nevada they will have to obtain an EWA-specific license. But these laws are not giveaways to industry as they each contain significant (and largely similar) consumer protections.
Nevada's law imposes, among other things, several substantive requirements, including that providers: make at least one no-cost way to obtain EWA available to consumers; disclose fees and that paying of tips is optional; allow cancellation of the service without penalty; and not charge penalty fees. Missouri's law is quite similar but does not require a free option. Missouri's law takes effect this August 28, 2023. Nevada's law requires EWA providers to apply for a license not due before January 1, 2024, and the substantive provisions take effect in July 2024 or earlier, if regulations are implemented.
These laws contrast with the proposal earlier this year from the California Department of Financial Innovation that would deem EWA credit subject to existing consumer-loan laws. That rulemaking is pending.
EWA and loans—one of these things is not like the other. There is no doubt much more to come at both the state and possibly federal levels on this relatively novel product. Most of the action boils down to whether EWA should be regulated like a loan or not. Maybe Cookie Monster could help mediate this debate? While we can expect at least some other states to adopt laws similar to Nevada and Missouri, we also expect some states to consider more California-like approaches, which would treat EWA like loans. And CFPB hinted over a year ago that it might take further action on EWA (although EWA regulation was not included in CFPB's recent regulatory agenda).
We at Explainer Things are on the record that clean slate EWA-specific regulation makes far more sense than shoehorning EWA into inapplicable lending schemes. Treating EWA as credit ignores the obvious consumer benefits it provides as compared to other short-term liquidity products like payday loans. And both the Nevada and Missouri laws allow state regulators to maintain oversight and identify concerning practices that warrant increased or different consumer protections.
A TILA Story: Personal, Family, or Household Purposes
On Memorial Day weekend 1968, moviegoers flocked to theaters to see 2001: A Space Odyssey. Many left the theater grappling with profound questions about the meaning of life. Days later TILA was signed into law, prompting lenders everywhere to ask an equally profound question—what does "primarily for personal, family, or household purposes" mean? Fifty-five years later, moviegoers flocked to theaters to see Barbie, which begins with a comical homage to 2001. Not so comical—we're still arguing about what constitutes "business purpose" under TILA.
The debate continues in the great state of Maine in the case of Franklin Savings Bank v. Bordick. The Bordicks obtained a loan to build a second home in 2008. They eventually sold the home at a loss. To cover the shortfall, they took out a new loan, offering their hunting cabin as collateral. After they were unable to pay, they heard a Knock at the Cabin–the bank had come to take possession. The Bordicks fought back in court, arguing the lender failed to provide TILA disclosures. The court disagreed, holding that TILA did not apply because the loan documents stated the loan had a commercial purpose and the true purpose of the loan was irrelevant.
CFPB weighed in earlier this month, filing an amicus brief on July 12. CFPB argues that the lender cannot rely solely on statements in the loan documents that the loan is for business purpose. A lender must look at the facts and circumstances of the transaction to determine if the loan is primarily for personal, family, or household purposes.
We are shocked—SHOCKED!!!—that this issue is still being litigated. This question has been litigated on a case-by-case basis in every decade since TILA was enacted. For context, this means there are only slightly more TILA cases on this question than there are films in the Fast and Furious franchise. Regardless of whether CFPB's arguments prevail, lenders should not relax their procedures for thoroughly documenting business-purpose justifications. The loan agreement must contain signed borrower representations, but it is equally important to capture borrower intent in the loan application, documents submitted in support of the application, and separate disclosures provided to the applicant. And train your loan officers to spot problems—if a hypothetical loan applicant (let's call him Dave) ever asks for a business loan, but the application looks like the loan is for personal, family, or household purposes, just look the applicant in the eye and robotically say, "I'm sorry, Dave. I can't do that."
Sorrows, Sorrows, Prayers–Yup, We're Talking About the TCPA Again
This month's update was supposed to cover the FTC's enforcement action against Yodel Technologies for placing more than a billion robocalls to consumers, nearly half of which were to phone numbers listed on the federal do not call registry, using soundboard technology. You can read about that here.
But then the full eleventh circuit issued its decision in Drazen v. GoDaddy.com on July 24, 2023. At issue in Drazen was the question of whether a single text message sent in violation of the TCPA was sufficient to establish standing to state a claim in federal courts. As you may recall from law school (or super boring TV law procedurals, if you're lucky enough not to have gone to law school), federal courts lack jurisdiction over a case unless the matter qualifies as a "case" or "controversy." In other words, to proceed in federal court, a plaintiff must be able to demonstrate, among other things, that they suffered a concrete injury. (If you really want to geek out on Article III standing, there's a lot out there. We would direct you to start with the Supreme Court's decisions in Spokeo, Inc. v. Robbins and Transunion LLC v. Ramirez.)
Intangible harms, such as invasion of privacy, can sometimes be sufficient to satisfy the concreteness requirement for standing, if the harm at issue bears a "close relationship" to a harm traditionally recognized at common law. All circuit courts to have considered the issue have concluded a single TCPA violation bears just such a sufficiently close relationship to the common law tort of invasion of privacy to qualify as a concrete injury... except for the eleventh circuit. Until now, that is. In Drazen, the court reversed itself and, aligning with its sister circuits, concluded a single unwanted text message is sufficient to establish Article III standing.
The court's decision is not terribly surprising, particularly since all other circuit courts to have considered the issue have held one call or text is sufficient to confer standing to bring a TCPA lawsuit. Nevertheless, this decision will be a blow to companies (and federal judges!) facing TCPA litigation in the eleventh circuit, particularly in Florida. Florida is one of the most litigious states for TCPA filings. But over the last year or so, courts began dismissing TCPA lawsuits on standing grounds (sometimes without either party moving for dismissal first) because if there is no Article III standing, the court lacks jurisdiction to hear the case. But with the Drazen decision, the party's over. To quote Queen Charlotte (#abridgertonstory), "sorrows, sorrows, prayers."
Three More Contestants in the Privacy Law Rodeo: Oregon, Delaware, and Florida
Assuming no gubernatorial veto, Oregon and Delaware are poised to become the latest states to enact comprehensive privacy legislation. The Oregon Consumer Privacy Act would become effective in July of 2024 and the Delaware Personal Data Privacy Act could become effective as early as January 2025. Florida passed a new Florida Digital Bill of Rights last month, which is much narrower than those in Oregon or Delaware and takes effect in July 2024.
The Oregon and Delaware privacy laws both apply to businesses that generate above a certain threshold of their annual revenue from selling personal data (the threshold is 20 percent in Oregon and 25 percent in Delaware). Additionally, the Oregon law applies to businesses that process personal data of more than 100,000 consumers. Of note, institutions subject to the Gramm-Leach-Bliley Act are exempt from both states' laws, and information processed under the GLBA is exempt under the Oregon bill. One significant right afforded to consumers under both laws is the right to opt out. Both states permit residents to opt out of personal data processed for targeted advertising, sale, or profiling the consumer to support significant decision-making or legal effects. Both laws have special requirements for sensitive data, including racial or ethnic background, national origin, etc.
Oregon and Delaware also require consumer consent to process personal data of children, although they differ somewhat in the ages for which consent is required. Both states will also require companies to conduct a "data protection assessment" for certain high risk activities. These triggering activities can include things like any processing of sensitive data, targeted marketing, and certain uses of AI. Violations of both statutes are enforceable by the states' Attorneys General, and both provide a period of time for a company to cure an alleged violation of the act (Oregon with a cure period of 30 days, and Delaware with a cure period of 60 days).
The Florida statute's most distinguishing factor is its very narrow scope. It applies only to businesses with more than $1 billion in global gross annual revenue and who either: (1) derive half of that revenue from online advertisements; (2) offer certain types of virtual assistant or home speaker services; or (3) operate an app store for consumers to download and install software applications. In other words, the Florida law will not apply to the majority of businesses. The Florida law requires controllers that sell sensitive data or biometric data to provide conspicuous notice to consumers on an annual basis, and mandates the language the controller uses. The statute also grants Florida consumers the right to opt out of the collection of data through controllers' voice or facial recognition technology. Even if a consumer has not opted out, however, the law prohibits controllers from collecting data from voice-activated devices when those devices are not in use, unless the consumer has expressly authorized such data collection.
Companies again find themselves facing a wide variety of obligations when it comes to personal data privacy, and these laws further illustrate how important it is to take a holistic approach to compliance—keeping up with these obligations in piecemeal fashion will be more difficult going forward. As for Delaware, the new law is not the only law companies should be paying attention to. It adds to Delaware’s existing, though less stringent, online privacy law—the Delaware Online Privacy and Protection Act. The obligations in the new law are more onerous, but it will be important to make sure that the obligations in both laws are met. And although the Florida law's application is narrow, it does give us insight into the kinds of data-privacy protections that Florida legislators would like to see for their constituents.