Maintaining compliance with federal regulations can be resource-intensive for financial institutions, and state laws and regulations add to the burden. Two current hot topics for state compliance include data privacy and the Telephone Consumer Protection Act (TCPA).
Let’s take a closer look at the state-level regulatory landscape in these areas. This information is not intended to be comprehensive or constitute legal advice.
In the absence of a comprehensive federal data privacy bill, more and more states are passing their own data privacy laws. To date, 11 states have passed comprehensive privacy legislation in the U.S. (alphabetically: California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia), with California, Colorado, and Virginia being the trailblazers.
As state privacy legislation has evolved, laws tend to resemble either the California model or the Virginia/Colorado/Connecticut model, with some minor differences. Note that only the California Consumer Privacy Act includes a private right of action, and even that one is limited to data breaches.
If you are a privacy officer at a U.S. financial institution, you might be thinking that none of these state privacy laws apply to your institution. In reality, parts of them might, which is why you have to perform a risk assessment on state data privacy laws to document how and why they don’t pertain. When performing this risk assessment, it’s important to consider how the exemption or excluded sections of each law are worded. Some exclude financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), which is a broad exemption. Others only exclude GLBA-protected data, not the institution itself.
If you are a privacy officer at a non-bank fintech, don’t assume that your organization or its data are exempt from state privacy laws. Fintechs may collect and process data that isn’t regulated by GLBA. This type of analysis may go beyond a risk assessment and may be best handled by privacy attorneys.
Many states have Telephone Consumer Protection Act laws, called “mini-TCPA” laws, which tend to be more stringent than the federal TCPA. Maryland, Florida, Oklahoma, Washington, Texas, Virginia, New Jersey, and New York have mini-TCPA laws — all with different effective dates — and Michigan and Georgia have them in the works. Collections officers and marketing officers at financial institutions will want to familiarize themselves with the nuances of TCPA since it can be a litigious topic.
Most state mini-TCPA laws include some type of civil right of private action, and most modify the 9:00 p.m. federal limit on initiating calls and instead make it 8:00 p.m. Many require the caller to identify themselves upon connecting the call, and some also require the caller to identify who they are calling on behalf of. Many of the mini-TCPA laws also have prohibitions against blocking or “spoofing” the phone number. Some contain a provision that if the recipient asks to not be called again, the caller must end the call within 10 seconds. Some also limit the number of calls or texts a recipient can receive within a 24-hour period.
What might be the most interesting aspect of state mini-TCPA laws that are still in the proposed stage are provisions that define and protect “vulnerable individuals,” prohibit repeated/continuous calling that would be considered annoying, and require lengthy records retention requirements on callers for numbers called.
As with state privacy laws, it’s best if compliance officers at financial institutions perform a risk assessment on mini-TCPA laws to document their understanding of the laws and the risks. This also allows compliance teams to document when and how the institution initiates calls, including whether any type of auto-dialer is used.
Most states have their own versions of laws and regulations pertaining to fair lending/fair housing (sometimes referred to as human rights or human relations acts) and to unfair, deceptive, or abusive acts or practices (UDAAP), commonly referred to as consumer protection.
Regarding fair lending, nuances exist from state to state in terms of defining “protected bases.” If you are a compliance officer at an institution that offers lending services — even small business lending, since these laws and regulations can now pertain to small business loans — you should familiarize yourself with the variations in state requirements.
The same applies to state-level consumer protection laws. State attorneys general will often join the CFPB in an action against an entity that is harming consumers financially. While every state has some level of consumer protection laws, some states such as California, New York, and Massachusetts have mature laws with active enforcement.
Compliance and risk officers at financial institutions and fintechs should remember that all of these laws and regulations apply to the vendors and third-party relationships you engage. A violation of any of these laws or regulations by a third party will likely result in a violation against the institution. Vendors may be aware of federal laws and regulations, but may not be aware of state-level requirements, and the burden to ensure that they are compliant rests on the financial institution.