In June 2022, Colorado enacted HB22-1410, a law governing remote work for licensed lenders. Specifically, the law amends the Uniform Consumer Credit Code by permitting employees of a supervised lender to work remotely. A “remote location” is defined in the law as “a private residence of an employee of a licensee or another location selected by the employee and approved by the licensee.”
In August 2022, Colorado Attorney General (AG) Phil Weiser’s office published new guidance related to HB22-1410, reiterating licensee compliance requirements mandated for their employees to work remotely:
- Licensees must ensure no in-person customer interactions are conducted at the remote location, and the remote location is not designated as a business location to consumers.
- Licensees must maintain appropriate safeguards for licensee and consumer data, information, and records, including the use of secure virtual private networks (VPNs) and not maintaining any consumer information and records at the remote location.
- Licensees must employ and record appropriate risk-based monitoring and oversight processes of the work performed, including having access to consumer and licensee information and records for regulatory oversight and examination.
- Licensees must train employees to work in environments conducive to ensuring privacy and to keep all conversations about and with consumers confidential “as if conducted from a commercial location.”
Entities not covered by HB22-1410, including collection agencies, debt management providers, and student loan servicers, are still regulated by the March 2020 guidance issued by AG Weiser’s office. This will remain in effect until the last day of the legislative session on May 10, 2023. However, AG Weiser’s office acknowledged that due to the COVID-19 outbreak, individuals may be required to work from home even though their homes are not licensed as branches. Therefore, AG Weiser’s office does not intend to take an action for such activities, as long as the following requirements are met:
- All Colorado activity is conducted from the home location of an individual working on behalf of an entity that is licensed, registered, or files notification with the office and not conducted in person with members of the public at the home.
- Licensees must ensure sufficient safeguards are in place to protect consumer information and data security.
- Licensees must exercise reasonable supervision of the licensable activity performed at the home office.
- Individuals working from home must not advertise, receive official mail, or store any books and records at their remote locations.
- Individuals are working from remote locations due to a reason connected to the COVID-19 outbreak and have informed the regulated entity in writing.
- Individuals cease conducting the activity from their home locations as soon as reasonably possible, consistent with recommendations from the CDC, CDPHE, and applicable state health departments.
The new guidance allows more flexibility for employees of entities regulated by the Consumer Credit Unit. These entities must ensure that requirements are met by both licensees and by employees to stave off any scrutiny and/or subsequent consequences. For example, the guidance emphasizes that “[r]egulated entities are advised to establish policies and procedures, including for security of confidential information, document destruction and retention, and regulatory compliance for employees working remotely.” Companies should develop and implement these compliance requirements to avoid potential exposure down the road.