CA Financial Services Related Bills

contract-iconVirtual Currency Act

AB 1326 (Dababneh) as amended 7.6.15

Adds Financial Code 26000 licensing for virtual currency

Creates requirements for persons engaged in any virtual currency business to either obtain a license or qualify for an exemption from licensure to operate in California. Under AB 1326 “‘virtual currency business’ means maintaining full custody or control of virtual currency in this state on behalf of others.”

Virtual currency businesses would be required to pay a $5000 application fee, complete the application form, maintain a trust account/bond to benefit consumers, provide a specified receipt to consumers, submit to examinations. Violations are subject to civil penalties.

Additionally, a virtual currency business in good standing may be eligible to convert their virtual currency business license to a money transmission license under the Money Transmission Act provided meeting certain criteria, which includes “conducting [a] virtual currency business with less than $1,000,000 in outstanding obligations and whose business model, as determined by the commissioner, represents low or no risk to consumers to register with a $500 license fee and, if approved, receive a provisional license to conduct virtual currency business.”

The bill also provides for a provisional license for virtual currency businesses “with less than one million dollars ($1,000,000) in outstanding obligations and whose business model, as determined by the commissioner, represents low or no risk to consumers may register with a five-hundred-dollar ($500) license fee with the commissioner”  They must register with FinCEN as a money services business, if applicable.

Finder’s Fee for Pilot Program for Increased Access to Responsible Small Dollar Loans

SB 235 (Block)

Would increase compensation to finders (entities that bring borrowers and licensed lenders together) from $45/40 to “no more than $70” per loan

The bill would also “require a licensee to provide the commissioner with prescribed information relating to each finder, including, but not limited to, the finder’s delinquency rate and default rate, and would authorize the commissioner to take prescribed action against a finder that is found to be in violation, including, but not limited to, disqualifying the finder from providing services under the pilot program.”

Creates Bank on California under DBO 

AB 1292 (Dababneh)

Various changes to Data Breach Notification Laws

SB 570; AB 83; AB 259; AB 964

 

New Developments for Song-Beverly

data-breach1A couple notable developments on California’s Song-Beverly Credit Card Act, which limits retailers from collecting certain types of personal information from its customers.

California’s SB 383 (Jackson) passed the Senate earlier this year, which addresses the Apple v. Superior Court decision.  This bill would extend Song-Beverly protections to online retailers and prohibit them from collecting certain types of personal information when consumers purchase “electronically downloadable content” unless for fraud detection and prevention purposes.  A pretty narrow bill, to address a pretty narrow ruling.

Consumers can’t be required to provide their email addresses, unless for an “incidental but related purpose,” when shopping at a brick and mortar store any longer, a result of Capp v. Nordstrom.

Why might might consumers be spooked about giving out their email addresses or zip codes at the point of sale?  If you haven’t read this article in Forbes, it explains why very simply.

Not Song-Beverly related, but more in following up on data breaches and their aftermath as some consumers try to figure out how to dig out from identity theft or try to keep their financial lives from being wrecked.  Brian Krebs has confirmed that credit monitoring services are not helpful in his recent post, “Are Credit Monitoring Services Worth It.”

 

10 (Mostly) Interesting Links on Data Breaches

data-breach1Data breaches are on the minds of a lot of people today, beyond the usual group of privacy and security professionals, privacy advocates, and lawmakers as a result of the Target breach.

I’ve compiled a list of 10 interesting links on data breaches (including some regarding their intersection with payments and privacy:

1.  Over 660 million breaches–The Target breach is certainly substantial, but certainly not a new occurrence.  To date, according to Privacy Rights Clearinghouse’s tally which they began in 2005, 662,081,528 records have been breached.

2.  EMV (Chip and PIN) Cards Touted as the Solution–More influentials and groups are taking on the position that EMV or chip and PIN cards, are the solution to prevent hackers and cybercriminals to get access to personal data–Target’s CEO and the National Retail Federation are beating this drum lately.

3.  But Really, EMV Cards Are Not A Swift Solution–Certainly, faster adoption of chip and PIN, or EMV cards, will likely lower fraud, and will place the US among Canada, Europe and just about everywhere else in the plastic card carrying world.  And, issuers have been sending out credit cards with chip and PINs (I have a couple) to US cardholders.  But, the technology remains pretty useless until merchants have the proper readers and software to accept the cards.  It likely won’t be a few years until chip and PIN take over, as payment networks, Mastercard, Visa and American Express have given their merchants until 2015 to obtain hardware and software to accept EMV cards…

4.  Encryption–Heartland Payment Systems took a beating in 2008 after their 2008  breach, with one of their big clients, TJX Companies losing an estimated $171 million in that breach.  But, Heartland was able to turn it around and is now touting end-to-end encryption.

5.   There Is No Federal Data Breach Notification Law–The public knows about data breaches as a result of 46 state and the D.C.’s data breach Laws.  Otherwise, we likely would have no idea how many records with personal information have been breached or may have fallen into the wrong hands.

6.  California Is The First State To Pass A Data Breach Notification Law.  This happened back in 2002.

7.  California Adds Onto Its Data Breach LawSB 46 expanded California’s data breach law to require notification when passwords and usernames are included.

8.  What Is The Customer’s Liability?–If an individual finds there has been fraud, it will  depend on how a transaction was made.  Bottom line, using a credit card is best at the checkout or online.  (PaymentsLaw.com is mentioned!)

9.  The Payments Landscape Will Forever Be Changed, Or Not–Such large data breaches do bring about larger discussions on whether or not significant changes will be made.  A few experts give their 2 cents.

10.  What To Do If Your Info Was HackedGood tips on what to do if you get a notice your information may have been hacked, from Privacy Rights Clearinghouse.

The TCPA and Payments?

text_messagingThe new rules to the TCPA (Telephone Consumer Protection Act) go into effect today.  Generally speaking, consumers should be overjoyed that their dinners will likely go uninterrupted by an automated call from a telemarketer, creditor or debt collector (provided that they did not provide express consent to have them make the call in the first place).  But in the world full of mobile phones and text messaging, entities who have been auto generating offers and rewards need to take extra caution.

These new rules have been a hot topic in the legal world since the FCC issued them last year.  Legal news and blogs have been all over the issue for months.  Two key changes include the requirement of express consent and the end of the established relationship business exception.

Since I focus largely on payments and privacy, it seems appropriate to take a look at these significant changes to the TCPA, as they relate to merchants, creditors and debt collectors.

In the money and payments chain, merchants, creditors and debt collectors will also need to take extra caution and provide “clear and conspicuous disclosures” when obtaining “express consent” from their applicants and customers.  They should make sure they have documented proof of this consent in the event that they are met with future allegations of TCPA violations, as there will likely be plenty.  The cost for violation can be very high, starting from $500 up to $1500 per call.  Just ask Papa John’s who recently had to fork over $16.5M when its affiliates had a marketer send out unwanted text messages for their pizzas.

 

This blog is for general information and educational purposes, not to provide legal advice. If you need legal advice, please consult with a qualified attorney.