1. CCPA Compliance
Raised awareness generated by the issuance of the European General Data Protection Regulation (GDPR) gave consumer advocacy groups enough visibility to be able to pursue a ballot initiative with extremely burdensome requirements for businesses while also making it easy for plaintiffs to obtain disproportionate settlements. In this context, on June 28, 2018, California governor Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA), which becomes effective on January 1, 2020. This law was passed by the California Legislature in less than a few days, and only a few hours before the deadline to avoid a ballot initiative during the November 2018 election. This is a vivid example of states rushing to regulate areas in which the federal government has left unregulated.
As a result of this, the CCPA exists with ambiguous language and demands exhaustive and comprehensive regulations to fill in the numerous gaps left behind in its rushed legislative proceeding. Crucial concepts need to be clarified. One example is the definition of “personal information” and whether this includes IP addresses and inferences drawn from a customer’s personal information that is used to create a profile about that consumer.
The CCPA gives California consumers three things:
- Ownership over their data and the right to tell businesses not to sell or share their data
- Control over the personal information that is collected about them
- Assurance of data security and the right to hold businesses responsible for safeguarding their personal information
California Attorney General Xavier Becerra is the authority tasked with the regulation of CCPA, so monitoring his activities is critical to understanding the scope of these new regulations. On January 8, 2019, the first of a series of six public rulemaking workshops were held in San Francisco, kickstarting this rulemaking process, and the first draft of these regulations is expected this fall.
Since California is the world’s 5th largest economy and home to many of the world’s largest technology companies, the CCPA is likely to have a direct effect on the worldwide economy. The most adverse effect of the CCPA may be the wave of state-issued regulations on consumer data privacy that will follow. Imagine trying to comply with 49 different privacy regulations, each with differences on disclosure requirements and procedures. The effect could be devastating.
Key takeaway: There are many unknowns with regards to how a bank can be in compliance with and protect itself against the requirements of the CCPA. It will be important for executives and board members to monitor regulatory activity and enforcement actions once the act falls into effect in 2020. Until then, it is important to perform a “data audit” to be aware of and document how and where your customer data is being stored.
2. Cryptocurrency Money Transmitters
The surge of virtual currencies during the last year has led to dissimilar regulatory frameworks across different states. In a broad sense, virtual currencies are subject to an array of federal regulations such as taxation, BSA/AML regulations, and securities laws (in the case of ICOs), however, the transmission of the virtual currencies, or digital assets, is left to state laws and regulations.
The state-level agencies that have taken the lead in cryptocurrency regulation have enacted money transmission laws and regulations, established specific licensing requirements, and issued regulatory guidance to clarify how the virtual currency fits into their particular regulatory schemes.
As of today, forty-nine states have enacted their own version of the Money Transmitters Act, and several states have chosen to include the exchange of virtual currencies under the scope of these laws. Including cryptocurrencies under the scope of money transmitting regulations imposes new compliance procedures to businesses engaging in virtual currency activity, such as licensing requirements, and the need for surety bonds among others. For example, the Department of Financial Services of New York, recently issued the first “BitLicense” to a Bitcoin ATM, a trend that is likely to be followed closely by other states.
Additionally, among most states, the publication of agency guidelines to help businesses navigate the uncertainty surrounding the legal nature of virtual currencies is a dynamic landscape. While some states, such as California, have chosen to avoid officially addressing the subject, others have issued very clear guidance to exclude cryptocurrencies from being treated as currencies, such as New Hampshire and Montana. Other states such as New York, Idaho, and New Mexico have defined cryptocurrencies as a currency by definition.
What does this mean for businesses? It means that doing business that fall within the gray area of regulation is complicated and risky. As a dynamic subject, you could be in a jurisdiction that currently doesn’t have strictly defined regulations one day, then quite literally the next day, you could be subject to penalties and sanctions. Federal agencies, such as the SEC, offer No Action Letters to protect businesses that operate in areas where the rules are not yet defined, but imagine the burden of managing this across 50 different states. This lack of clarity and disparity in regulation can be a major deterrent for innovative companies.
Key Takeaway: Cryptocurrency regulations, particularly related to money transmitter laws, need to be closely monitored. Although potentially cumbersome, tracking enforcement activity related to this is a common and practical way for firms to understand evolving trends and requirements.
3. Consumer Real Estate Foreclosure Regulations
Regulatory activity isn’t limited to evolving advanced technologies and disruptive businesses. Traditional businesses with long-standing laws and regulations, such as real estate mortgage lending and their foreclosure proceedings, also suffer from disparate and ever-changing regulations across the U.S. states. In fact, there are many longstanding business practices with varying regulatory requirements across state lines.
Stemming from the same common law institutions, highly matured laws and regulations affecting real estate mortgages have evolved independently across each state. State-legislative and regulatory history demonstrate how apparently similar proceedings are interpreted differently in each state with nuanced versions of related rules.
For example, different state laws will allow mortgagors to be able to redeem (or buy back) their homes after they have gone through the foreclosure process. In some states, a mortgagor will be able to “redeem” their home by paying off the total amount owed to the lender before the foreclosure sale, or by paying the amount paid by the buyer in the foreclosure proceedings in order to buy back the home. Although all states recognize the right of redemption for homeowners prior to the foreclosure sale, not all states grant foreclosed homeowners a redemption period after the foreclosure to recover their home. In the U.S., only nineteen states grant homeowners a statutory right of redemption after foreclosure, and in every one of these states the procedural rules that apply establish different requirements in order to be effective.
In Illinois, for example, this right can be exercised only within seven months after the foreclosure complaint, or three months after final foreclosure judgment, whichever date is later, by paying the amount of outstanding mortgage debt plus interest and costs. In contrast, Michigan allows this redemption period if the residential property is of four units or less. The redemption period may go from six months, if the mortgage is executed on or after January 1, 1965, and the outstanding mortgage debt is more than two-thirds of original mortgage debt; three months if the property is abandoned and the outstanding mortgage debt is less than or equal to two-thirds of the original mortgage debt; one month if the property is abandoned and outstanding mortgage debt is more than two-thirds of original mortgage debt; or one year for all other residential properties of four units or less.
The point is, the legal burden imposed upon mortgage companies doing business across state lines is extremely convoluted. The mortgage industry is ripe for disruption, as is evident with the number of technology-driven companies providing modern mortgage solutions to customers. However, the regulatory environment governing its operations is inconsistent, nuanced and challenging to monitor.
Key Takeaway: Consumer real estate and mortgages isn’t as sexy a topic as cryptocurrency or consumer privacy, but it is nonetheless a murky topic for companies to manage. In addition to all the new age topics to be aware of, regulatory matters on established business areas are just as convoluted across state-lines.
Automatically monitor regulatory updates to map to your internal policies, procesures and controls. Learn More
