Updated: Sep 19, 2022
California has recently passed a bill authorizing a licensee under the California Financing Law (CFL) to designate an employee to perform work on the licensee’s behalf at a remote location. Licensees may permit their employees to perform work remotely only if proper action is taken to safeguard a consumer’s personal information.
To allow an employee to perform remote work, California requires that licensees:
Do not conduct in-person consumer interactions at a remote location, including the physical receipt of cash or monetary value or the disbursement of loan proceeds, at a remote location and does not designate a remote location to the public as a business location;
Prohibits the physical receipt of mail related to the licensee’s licensed business at a remote location;
Prohibits a consumer’s personal information from being physically stored at a remote location, except for storage on an encrypted device or media;
Provides an employee at a remote location with appropriate equipment, which may include encrypted device, virtual private networks, and similar technologies to perform work and safeguard licensee records and consumer personal protection, and;
Incorporates appropriate written policies and procedures to supervise and maintain appropriate control over the work of employees at remote locations and safeguard licensee’s records and consumer personal information, including the following:
o Employee data security training;
o Maintenance of security logs of remote logins;
o Procedures designed to detect suspicious logins or attempts, and;
o Data breach procedures.
While a handful of states have not yet permitted this, California’s approach is consistent with the trend of other state regulators who are allowing employees to work remotely. The key in all these cases is ensuring that borrower information is protected and not at any more risk to be compromised than if the employee worked out of the lender’s licensed location, and the commitment and actual supervision of the employees. It is likely that in the states that permit remote employees, state examiners will keep a sharp eye on these two elements. It is therefore highly recommended that a lender practice excellent control of borrower information protection and supervision of remote employees. A mere showing of a policy without exercising actual control and monitoring will not be sufficient.