chevron-down Created with Sketch Beta.

Business Law Today

December 2023

December 2023 in Brief: Business Regulation & Regulated Industries

Dredeir Roberts, Perry N Salzhauer, and Latif Zaman

December 2023 in Brief: Business Regulation & Regulated Industries
iStock.com/peeterv

Jump to:

Banking Law

FinCEN Extends Deadline for Companies Created or Registered in 2024 to File Beneficial Ownership Information Reports

By Rachael Aspery, McGlinchey Stafford, PLLC

On November 29, 2023, the United States Department of the Treasury Financial Crimes Enforcement Network (“FinCEN”) announced and issued a final rule to amend the Reporting Rule to implement the Corporate Transparency Act (“CTA”) that extends the deadline for certain reporting companies that were created or registered in 2024 to file their initial beneficial ownership information (“BOI”) reports with FinCEN. The deadline for these reporting companies created or registered in 2024 to file the initial reports will be ninety calendar days from the effective date of receiving actual or public notice of their creation or registration becoming effective.

This extension will give reporting companies created or registered in 2024 valuable extra time to understand their new regulatory obligations and obtain the information required to file their BOI reports. The additional time also provides these companies more time to become familiar with the guidance and educational materials on FinCEN’s website, and to resolve questions that may arise in the process of completing their initial BOI reports.

Entities created or registered on or after January 1, 2025, will still have thirty calendar days from notice of their creation or registration to file their BOI reports with FinCEN. Additionally, reporting companies created or registered before January 1, 2024, will still have until January 1, 2025, to file their initial BOI reports with FinCEN. FinCEN updated its BOI Frequently Asked Questions, Small Entity Compliance Guide, quick reference materials, and informational video to reflect the reporting deadline extension.

FinCEN Issues Access Rule to Beneficial Ownership Information

By Rachael Aspery, McGlinchey Stafford, PLLC

On December 21, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) announced and issued a final rule (“Access Rule”) under 31 C.F.R. Part 1010 that establishes the framework for access to and protection of beneficial ownership information (“BOI”) that will be reported to FinCEN pursuant to the Corporate Transparency Act (“CTA”). The Access Rule prescribes the circumstances under which BOI, which is reported in compliance with FinCEN’s final BOI Reporting Rule, may be disclosed to federal agencies; state, local, tribal, and foreign governments; and financial institutions, and how BOI must be protected.

The Access Rule aims to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that BOI only for purposes permitted by the CTA; and (3) authorized recipients re-disclose BOI only in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

The CTA establishes that BOI is confidential and may not be disclosed except as authorized under the CTA and the Access Rule. However, FinCEN is authorized to disclose BOI under specific circumstances to six categories of authorized recipients: (1) U.S. federal agencies engaged in national security, intelligence, or law enforcement activity; (2) U.S. state, local, and tribal law enforcement agencies; (3) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (foreign requesters); (4) financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law, provided the financial institution requesting the BOI has the relevant reporting company’s consent for such disclosure; (5) federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements under applicable law; and (6) Treasury officers and employees.

Each category of authorized recipient will be subject to specific security and confidentiality requirements, and authorized recipients of BOI are generally prohibited from re-disclosing BOI except in eight specific circumstances. With respect to security and confidentiality requirements, financial institutions will be able to satisfy this requirement by applying the same security and information handling procedures to BOI as required to protect customers’ nonpublic personal information pursuant to section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. For each BOI request that it makes, a financial institution will have to certify that the request satisfies applicable criteria, and geographic restrictions will apply. For financial institutions, re-disclosure is authorized among financial institutions and their regulators, including qualifying self-regulatory organizations.

The Access Rule broadens the definition of “customer due diligence requirements under applicable law” to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify BOI of a legal entity customer.” General business or commercial use of BOI is not authorized, and financial institutions, for example, are not permitted to access BOI from FinCEN in determining whether to extend credit to a legal entity or pricing decisions when such credit decisions are unrelated to anti-money laundering, countering the financing of terrorism, or national security purposes.

Violations of the CTA carry both civil and criminal penalties for any person who knowingly discloses or knowingly uses BOI obtained by that person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. The Access Rule clarifies that an “unauthorized use” includes any unauthorized access to BOI submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information.

In conjunction with the Access Rule, FinCEN issued two interagency statements to give banks and non-bank financial institutions guidance on the interplay between the final rule and FinCEN’s existing Customer Due Diligence Rule. FinCEN also published a Beneficial Ownership Information Access and Safeguards Final Rule Fact Sheet.

The Access Rule will be effective on February 20, 2024. Starting in 2024, FinCEN will begin to provide access to BOI in phases to authorized government agencies and financial institutions that meet the requirements of the final rule.

Cannabis Law

New York Welcomes Close of First Unrestricted Cannabis Licensing Window with Fresh Lawsuit

By Perry N. Salzhauer, McGlinchey Stafford PLLC

At 5:00 p.m. EST on December 18, the New York Cannabis Control Board (CCB) and its implementing agency, the Office of Cannabis Management (OCM), closed its first, and perhaps only, open application window for Adult-Use Cannabis Licenses. The application window, which opened on October 4, was the first opportunity for individuals without either an active hemp license or a previous conviction for a marijuana offense in New York to apply for what is expected to be one of the most valuable adult-use marijuana licenses in the United States. Before that day was over, applicants were greeted with a new lawsuit, filed in the US District Court for the Northern District of New York (Variscite NY Four, LLC v. New York State Cannabis Control Board, 1:23-CV-1599), seeking to enjoin OCM and CCB from processing any applications submitted during the application window. The lawsuit is the fourth lawsuit filed against New York cannabis regulators since they began implementing New York’s Marijuana Regulation and Taxation Act (MRTA) in 2022.

The Variscite NY Four plaintiffs allege that the regulations implementing MRTA, the license application process, and the selection criteria each violate the dormant commerce clause of the US Constitution insofar as they favor New York residents over residents of other states in the application and license selection processes. The complaint alleges that the OCM application process—which grants “extra priority” in the processing of applications by applicants that are owned and controlled by a majority of individuals who have either been convicted of a marijuana offense in New York or who have lived in certain areas of New York State disproportionately impacted by the enforcement of the cannabis prohibition—impermissibly discriminates against individuals who, despite meeting all other criteria for “extra priority,” are not, or have never been, residents of the state of New York.

The plaintiffs in the current case are both affiliates of Variscite NY One, LLC, the plaintiff that in September 2022 filed the first lawsuit against the state agencies in connection with the implementation of MRTA. The Variscite NY One lawsuit delayed the issuance of Conditional Adult-Use Retail Dispensary Licenses in certain regions of New York and ultimately resulted in a settlement pursuant to which Variscite NY One was granted a Conditional Adult-Use Retail Dispensary License by CCB. The agency defendants have not yet responded to the complaint.

Consumer Finance

UDAAP Reform Legislation Proposed in House

By Eric Mogilnicki and B. Graves Lee

On December 14, Congressman Andy Barr (R-KY) introduced in the U.S. House H.R. 6789 (bill text linked here), proposed legislation entitled the “Rectifying Undefined Descriptions of Abusive Acts and Practices Act.” The proposed legislation would amend and clarify the standards surrounding the authority of the Consumer Financial Protection Bureau to police unfair, deceptive, and abusive acts and practices (“UDAAP”) under the Consumer Financial Protection Act. In particular, the legislation would:

  • require the Bureau to issue a rule establishing policies and procedures relating to the imposition of civil penalties for UDAAP violations, including the application of statutory mitigating factors;
  • require the Bureau to issue a rule defining “abusive act or practice”;
  • prohibit the Bureau from interpreting UDAAP “to include discriminatory practices”;
  • prohibit the Bureau from seeking monetary relief for abusiveness upon a showing that the target “made a good-faith effort to comply” with the law (thereby partially codifying a 2020 CFPB policy statement on abusiveness that the Bureau later rescinded);
  • provide for a notice-and-opportunity-to-cure period upon self-identification of potential UDAAP violations;
  • prohibit the Bureau from pleading both abusiveness and unfairness (or deception) arising from identical or similar facts; and
  • limit the Bureau’s ability to seek civil penalties for conduct occurring prior to the target’s most recent consumer compliance rating.

Congressional Democrats Push CFPB to Issue Rulemaking on Arbitration

By Eric Mogilnicki and B. Graves Lee

On December 13, a coalition of Democratic members of Congress wrote a letter to CFPB Director Rohit Chopra seeking a Bureau rulemaking to limit consumer arbitration clauses. The letter begins by conceding that Congress has the authority to limit such clauses, but it asserts that “the Bureau is best positioned” to take such action with regard to financial products and services. The letter also notes that Congress voted to overturn the 2017 Bureau arbitration rule under the Congressional Review Act, and that the Act now operates to prohibit the Bureau from issuing a rule in “substantially the same form.” 5 U.S.C. § 801(b)(2). However, the letter argues that the Bureau still has the underlying authority to regulate arbitration and that a new rule need not violate that prohibition.

CFPB Releases Semiannual Rulemaking Agenda, Includes Anticipated Rulemakings on Overdrafts and NSF Fees

By Eric Mogilnicki and B. Graves Lee

In early December, the CFPB released its Fall 2023 Rulemaking Agenda, which lists rulemakings the Bureau expects to enter the pre-rule, proposed rule, or final rule stages during the period November 1, 2023, through October 31, 2024. The agenda includes three items that are scheduled for issuance in December 2023. First, the Bureau anticipates finalizing a proposed rule limiting credit card late fees. As discussed in past updates, the proposed rule, which faced industry pushback, would amend Regulation Z’s safe harbor for credit card late fees by reducing the safe harbor amount to $8 from the current level of $30 (for a first-time late payment) to $41 (for subsequent late payments), prohibiting late fees greater than 25% of a cardholder’s required minimum payment, and removing the automatic annual adjustment for inflation. The Rulemaking Agenda also anticipates that the Bureau will issue two proposed rules this month: one would amend the provisions of Regulation Z that determine when overdrafts are considered finance charges under the Truth in Lending Act, and one would identify situations in which charging customers a non-sufficient funds (“NSF”) fee would constitute an unfair, deceptive, or abusive act or practice (“UDAAP”) under the Consumer Financial Protection Act.

In addition to those rulemakings, the Rulemaking Agenda also includes the following:

  • The Bureau is considering a rulemaking to amend Regulation V, which implements the Fair Credit Reporting Act.
  • The Bureau anticipates issuing a proposed rule in March 2024 that would amend the rules applicable to mortgage servicing.
  • The Bureau, in conjunction with a number of other agencies, anticipates issuing a proposed rule in June 2024 that would implement the Financial Data Transparency Act, which requires the agencies to establish data standards for the collection of information from financial entities under their jurisdiction.

Finally, the Bureau anticipates that in 2024 it will finalize rulemakings regarding a registry of nonbanks that use form contracts, a registry of nonbanks subject to enforcement actions, automated valuation models, and the application of ability-to-repay requirements to Property Assessed Clean Energy financing transactions. The Rulemaking Agenda does not provide an estimated date for a final rule in the Bureau’s rulemaking to subject larger participants in the consumer payments and digital wallet market to supervision, or for a final rule in the Bureau’s personal financial data rights rulemaking.

Democratic State Attorneys General Send Letters to CFPB and OCC Requesting Assistance for Investigations of Federally Chartered Banks

By Eric Mogilnicki and B. Graves Lee

On December 6, twenty-one state attorneys general (“AGs”) sent letters to the CFPB and the Office of the Comptroller of the Currency requesting that those agencies take actions to assist the AGs with investigations of federally chartered banks and with the enforcement of state consumer protection laws. In particular, the AGs ask the Bureau “to make clear to the Banks that it creates a material risk that may give rise to unfair or abusive acts or practices for any Bank to refuse to cooperate with State AG information requests that seek to further enforcement of applicable state laws, including enforcement of generally applicable state consumer laws.” According to the state AGs, federally chartered banks are often unwilling to cooperate fully with investigations regarding state consumer laws, and many “regularly refuse to provide the documents or testimony necessary to shed light on their practices,” which forces state AGs to “sue first and ask questions later” and contributes to an adversarial regulatory relationship. The letter to the CFPB asserts that the Bureau’s authority to enforce consumer protection laws is not limited to federal law, and it suggests that the Bureau could develop a more formal mechanism for state AGs to seek assistance when a federally chartered bank is resisting a state investigation.

CFPB Director Chopra Testifies before Congress on Semi-Annual Report

By Eric Mogilnicki and B. Graves Lee

Last month, the CFPB published its Semi-Annual Report to Congress, which describes the Bureau’s activities for the period beginning October 1, 2022, and ending March 31, 2023. The Report covers, inter alia, significant rules and orders, consumer complaints, supervisory and enforcement actions, actions by state attorneys general and other financial regulators, fair lending, efforts to increase workforce and contracting diversity, and a justification of the previous year’s budget request.

CFPB Director Rohit Chopra appeared before the House Financial Services Committee on November 29, and the Senate Banking Committee on November 30, to testify regarding the Semi-Annual Report. In his opening statements to each body (House, Senate), Director Chopra surveyed the state of the consumer financial services marketplace, observing high levels of consumer debt. He noted that total outstanding credit card debt surpassed $1 trillion for the first time in 2022, and that consumers paid $130 billion in interest and fees on credit cards last year. He also pointed to similar trends in the auto lending market, where loan volume has exceeded $1.6 trillion, and added that the Bureau is “actively monitoring credit performance and repossession activity” in that market. Director Chopra also described developments in the student loan and residential mortgage markets.

In summarizing recent Bureau activities, Director Chopra highlighted the Bureau’s proposed rule to implement Dodd-Frank Section 1033, planned revisions to Fair Credit Reporting Act regulations applicable to medical debt reporting and to data brokers, various Bureau initiatives aimed at “junk fees,” and a proposal to supervise large technology companies offering payment services. Director Chopra also touted the Bureau’s supervision and enforcement efforts, noting that in the last two years, the Bureau has obtained orders totaling $8 billion in penalties and redress.

Director Chopra touched on similar themes while facing questions from members of Congress. He touted the Bureau’s Section 1033 rulemaking, which drew complimentary feedback from members on both sides of the aisle. Congressman Patrick McHenry (R-NC), the House Financial Services Committee Chairman, described the proposal as containing “some really smart stuff” and noted that the Bureau has “approached this as taking inputs from a wide variety of people.”

Director Chopra also raised concerns regarding the role of artificial intelligence in financial services, warning that “extremely opaque AI [could] magnif[y] disruptions in a market that turn tremors into earthquakes.” He signaled that the risks of AI and similar technologies are “very worthy” of examination by the Financial Stability Oversight Council. Director Chopra’s comments on AI echoed those he delivered at an Axios AI+ Summit earlier in the week. At the Summit, Director Chopra described concerns about concentration in the market for AI tools, stating, “There could be a handful of firms, and just to be honest, a handful of individuals who ultimately have enormous control over decisions made throughout the world. . . . I think what we’ve seen with lots of aggregations of data, that much of the gains are not broadly distributed, and they go to a handful of people.”

Congress Passes Resolution to Nullify CFPB Small Business Lending Data Rule, Veto Expected

By Eric Mogilnicki and B. Graves Lee

On December 1, the House of Representatives passed S.J. Res. 32, a joint resolution under the Congressional Review Act aimed at repealing the Bureau’s recent final rule to implement the requirements of Dodd-Frank Act Section 1071. Section 1071 requires the Bureau to promulgate rules governing lenders’ collection of data regarding applications for credit by women-owned, minority-owned, and small businesses. The joint resolution passed in the House largely along party lines, with six Democrats joining all Republicans to pass the resolution. Should the joint resolution (which has already passed in the Senate) become law, the final rule would be repealed, and the Bureau would be barred from promulgating any substantially similar rule in the future. However, President Biden is expected to veto the joint resolution, and it does not appear that there are sufficient votes to override such a veto. In the meantime, enforcement of the Section 1071 rule has been halted nationwide following a number of legal challenges.

Bureau Comments on California Income-Based Advance Company Registration and Examination Proposal

By Eric Mogilnicki and B. Graves Lee

On November 27, the CFPB submitted a comment letter to the California Department of Financial Protection and Innovation (“DFPI”) regarding a recent DFPI proposal that would subject companies offering income-based advances to registration and examination requirements. The Bureau’s comment letter was supportive of the DFPI proposal, noting that state supervision of consumer financial services providers “promotes robust consumer protection.”

The Bureau has opined on the treatment of income-based advances (also called “earned wage access” products) in the past, including a November 2020 advisory opinion that described the circumstances under which earned wage access providers do and do not offer “credit” under Regulation Z. However, the Bureau under Director Chopra has downplayed that advisory opinion, and in last week’s comment letter, it stated, “The CFPB’s previous advisory opinion on this topic should not be misrepresented: Products that do not fit within its very narrow scope are not excluded from existing laws. To the contrary, the CFPB supports efforts to subject such products to rigorous oversight for the full scope of existing state and federal consumer protection and lending laws.” In a blog post announcing last week’s comment letter, CFPB General Counsel Seth Frotman stated, “Given the many developments in this market, the CFPB plans to issue further guidance to provide greater clarity concerning the application of federal law to income-based advance products.”

Construction Loan Disclosure Pilot Program Earns Bureau Approval

By Eric Mogilnicki and B. Graves Lee

On November 21, the CFPB announced that it has approved an application by the Independent Community Bankers of America for a Trial Disclosure Program Waiver Template under the Bureau’s Policy to Encourage Trial Disclosure Programs (the “Policy”). The Policy, published by the Bureau in 2019, permits covered persons to apply for Bureau approval to conduct trial programs surrounding loan disclosures. The application approved this week proposed to implement tweaks to the Loan Estimate and Closing Disclosure that mortgage lenders must provide under the Bureau’s TILA-RESPA Integrated Disclosure Rule (the “TRID Rule”). According to the application, the TRID Rule regime was designed primarily for standard home purchase or refinance mortgage transactions and “do[es] not adequately disclose all of the various components of a construction or construction-to-permanent loan.” Under the approval order issued last month, the applicant may deviate in certain respects from the standard TRID Rule disclosures in the context of construction or construction-to-permanent loans.

Ninth Circuit Dismisses Class Action for Alleged Violations of Privacy and Unfair Competition Laws against E-Commerce Payment Platform

By Margaret Hayes, Pilgrim Christakis

On November 28, 2023, the Ninth Circuit affirmed the Northern District of California’s dismissal of a putative class action that alleged Shopify—an e-commerce payment platform—violated various California privacy and unfair competition laws when it “deliberately concealed its involvement” in consumer transactions. Briskin v Shopify, Inc., 87 F.4th 404 (9th Cir. 2023)

Plaintiff Brandon Briskin, a resident of California, made an online purchase on his phone from a California-based retailer while he was physically in California. Briskin believed that he was only dealing with the retailer when making the purchase, but Shopify processed the transaction on behalf of the retailer and stored Briskin’s information for later use and analysis. Briskin alleged that Shopify also installed cookies on his phone, connected his browser to Shopify’s network, transmitted his information to a second payment processor, and used his information to create consumer profiles that were shared with other merchants.

The complaint named defendants Shopify, Inc., a Canadian corporation, and two of its subsidiaries, Shopify (USA), Inc., and Shopify Payments (USA), Inc. (collectively, “Shopify”). None of the defendants were headquartered or incorporated in California.

Shopify moved to dismiss for lack of personal jurisdiction. There was no dispute that the Northern District of California did not have general jurisdiction over the defendants, so the Ninth Circuit considered whether specific jurisdiction existed. In order to establish specific jurisdiction, Briskin would have to show that (i) Shopify purposefully availed itself of the privileges of conducting activities in California or purposefully directed its activities toward California, and (ii) that his claims arose out of or related to Shopify’s California-related activities.

The Ninth Circuit applied the test from Calder v. Jones, 465 U.S. 783 (1984), and determined that Briskin could not establish specific jurisdiction because there was an insufficient relationship between Briskin’s claims and Shopify’s business contacts in California. Briskin’s claims had nothing to do with Shopify’s contracts with merchants in California, and the Court of Appeals noted that Briskin “would have suffered the same injury regardless of whether he purchased the items from a California merchant.” Additionally, Shopify is a nationwide e-commerce payment platform, and there was no allegation that Shopify “alter[ed] its data collection activities based on the location of a given online purchaser” or specifically targeted California customers. And, though Shopify knowingly profited from consumers in California, the Court of Appeals held that that alone was insufficient to establish that it expressly aimed its conduct toward California.

The Ninth Circuit recognized that there “has been the need to draw some lines to avoid subjecting web platforms to personal jurisdiction everywhere,” which would not comport with due process. The decision establishes (at least, for the Ninth Circuit) that providing online services to a customer may not be enough to confer personal jurisdiction in the customer’s forum state without additional evidence that the servicer expressly aimed its conduct to consumers in the forum state.

Labor & Employment Law

NLRB’s Expansive New Joint Employer Rule Delayed amid Legislative and Legal Challenges

By Taylor Graham, Boulette Golden & Marin L.L.P.

In November 2023, the National Labor Relations Board (NLRB) announced another delay to the effective date of its new joint employer rule, to February 26, 2024, “to facilitate resolution of legal challenges with respect to the rule.” The final rule (29 C.F.R. § 103.40 – Joint Employers), published on October 27, 2023, replaces and expands on the NLRB’s previous 2020 joint employer rule. The revised rule focuses on the right, or theoretical authority, of an alleged joint employer to control essential terms and conditions of a different employer’s employee rather than the 2020 rule’s focus on whether direct control is exercised by the alleged joint employer.

The NLRB rejected the 2020 rule, claiming it lacked foundation in the common law due to its effect of raising the threshold to “substantial direct and immediate” control over essential terms and conditions of employment. According to the NLRB, essential terms and conditions of employment subject to the rule include: (1) wages, benefits, and compensation; (2) work hours and scheduling; (3) assignment of duties; (4) supervision of duties; (5) work rules governing performance of duties and maintenance of discipline; (6) tenure including hiring and firing; and (7) working conditions relating to health and safety of employees. The 2023 joint employer rule reinstates an expanded standard set out in the NLRB’s 2015 Browning-Ferris decision. Browning-Ferris Industries of California, Inc., 362 NLRB No. 186 (Aug. 27, 2015). Supporters of the 2023 rule claim that it more closely aligns with common law agency principles, an approach endorsed by the United States Court of Appeals for the District of Columbia in Browning-Ferris Indus. of California, Inc. v. NLRB, 911 F.3d 1195 (D.C. Cir. 2018). Opponents of the 2023 rule argue that the NLRB’s 2015 Browning-Ferris decision upturned over thirty years of the direct control framework that the 2020 rule reinstated. The 2023 rule’s final enactment must clear at least two hurdles before the February 26, 2024, effective date: a Congressional Review Act resolution to overturn the rule and at least one lawsuit filed against the NLRB on November 9, 2023, by business groups alleging the 2023 rule is overbroad, unclear, arbitrary, and contradictory to common law principles. Chamber of Commerce of the United States of America, et. al v. NLRB, Case 6:23-cv-00553 (E.D. Tex. Nov. 9, 2023).

The new rule could expand liability for employers who maintain relationships with staffing agencies, contractors, and vendors found to engage in unfair labor practices and could require such joint employers to bargain with groups of individuals that are currently not considered employees. Though the new rule applies only to proceedings before the NLRB and only then to filings made on or after the effective date (currently February 26, 2024), employers should monitor the NLRB’s activity regarding joint employer liability, as it may signal a trend for other employment-focused federal agencies to follow, including the Department of Labor and Equal Employment Opportunity Commission. 

    Editors