New California Regulation Extends UDAAP Prohibitions to Commercial Financing

While federal and state laws have long prohibited providers of financial services from engaging in unfair, deceptive, and abusive acts and practices (“UDAAP”), such prohibitions typically apply only to consumer-purpose transactions rather than business-purpose transactions. However, as of October 1, 2023, a new California law extends the UDAAP prohibitions already in place under the California Consumer Financial Protection Law to certain commercial financing transactions in addition to consumer transactions.

The California Department of Financial Protection and Innovation (“DFPI”), pursuant to its authority under California Financial Code Section 90009, issued a final rule that prohibits certain “covered providers” from engaging in UDAAP in connection with offering or providing “commercial financing” or other financial products or services to “covered entities.”1

Key Definitions and Scope

As with many financial services regulations, the definitions of these key terms have a material impact on the scope of this law.

“Covered entities” are defined as small businesses, nonprofits, or family farms whose activities are principally directed or managed from California.2 A “small business” is an entity with annual gross receipts of no more than $16 million or the amount set by the California Department of General Services, whichever is greater.3 The new UDAAP rule applies to “covered providers,” which are persons engaged in the business of offering or providing commercial financing or another financial product or service to a covered entity, but excludes banks, bank holding companies, trust companies, savings and loan associations, credit unions, and certain other entities exempted from California Financial Code Section 90002, as well as persons acting under authority of one of the listed DFPI licenses.4

In contrast to the new definitions established under this rule, the terms “commercial financing” and “financial products or services” utilize the same definitions as those already contained in the California Financial Code, except that the references to “consumers” or “consumer financial products or services” in the relevant Financial Code sections shall now apply to commercial entities and financial products or services provided for commercial purposes. Specifically, “commercial financing” means:

an accounts receivable purchase transaction, including factoring, asset-based lending transaction, commercial loan, commercial open-end credit plan, or lease financing transaction intended by the recipient for use primarily for other than personal, family, or household purposes5

and “financial products or services" include, but are not limited to, the following (subject to certain exceptions):

  • extending credit and servicing extensions of credit, including acquiring, purchasing, selling, brokering extensions of credit;
  • extending or brokering leases of personal or real property (if certain conditions are met);
  • engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds or any financial instrument;
  • selling, providing, or issuing certain stored value or payment instruments;
  • providing payments or other financial data processing products or services by any technological means, including processing or storing financial or banking data for any payment instrument, or through any payment system or networks used for processing payment data;
  • collecting, analyzing, maintaining, or providing credit report information or other account information in connection with any decision regarding a financial product or service; and
  • collecting debt related to any financial product or service.6

Based on the above, in order to know whether a specific commercial financing transaction or financial product or service is covered under the commercial UDAAP statute, a covered provider would have to determine: (a) whether activities are “principally directed or managed from California,” (b) whether a business is a “small business” based on its annual gross receipts, and (c) whether financing provided to a covered entity will be primarily used for commercial purposes. Notably, the commercial UDAAP statute provides that covered providers making such determinations may rely on written representations by the business entity as to its location, business size, and primary purpose.7

UDAAP Prohibitions

In its new regulation prohibiting UDAAP in connection with commercial financing, the DFPI provides definitions as to what acts and practices are deemed either unfair, deceptive, or abusive. These definitions are substantively similar to those applicable to consumer transactions under the federal Consumer Financial Protection Act,8 but also include acts that would be deemed unfair or deceptive under California’s unfair competition law.

An act or practice is unfair if either:

  1. (a) the act or practice causes or is likely to cause substantial injury to covered entities; (b) the injury is not reasonably avoidable by covered entities; and (c) the injury is not outweighed by countervailing benefits to covered entities or to competition; or
  2. the act or practice is unfair in accordance with California Business and Professions Code section 17200 and the case law thereunder.9

An act or practice, including a representation or omission, is deceptive if either:

  1. (a) the act or practice misleads or is likely to mislead the covered entity; (b) the covered entity's interpretation of the act or practice is reasonable under the circumstances; and (c) the act or practice is material; or
  2. the act or practice is deceptive in accordance with California Business and Professions Code section 17200 and the case law thereunder.10

An act or practice is abusive if either:

  1. the act or practice materially interferes with the ability of a covered entity to understand a term or condition of commercial financing or another financial product or service; or
  2. the act or practice takes unreasonable advantage of: (a) a lack of understanding on the part of the covered entity of the material risks, costs, or conditions of the commercial financing or other financial product or service; (b) the inability of the covered entity to protect its interests in selecting or using commercial financing or another financial product or service; or (c) the reasonable reliance by the covered entity on a covered provider to act in the interests of the covered entity.11

Reporting Requirement

Additionally, there are new reporting requirements that covered providers must comply with. Beginning in 2025, covered entities are required to file a report with the DFPI, on or before March 15th of each year, containing information regarding their business activity during the preceding calendar year.

The information that must be disclosed in the reports includes: (1) the covered provider’s name, any fictitious business names, entity type, mailing address, phone number, email address, website address, and the designated contact person; (2) the total number and total dollar amount of commercial financing transactions with covered entities; (3) the number of commercial financing transactions with covered entities with certain ranges of amounts financed; and (4) the minimum, maximum, average, and median annual percentage rate disclosed for each range of amounts financed.12 According to the DFPI’s Initial Statement of Reasons for the proposed adoption of the rule, the filed reports will be used to monitor market attributes and help the DFPI prepare its required annual reports to the public.13

Covered providers licensed under the California Financial Code need not include in their annual reports activity conducted under the authority of that license.14 Additionally, covered providers are not required to file the annual reports if, within a 12-month period, they make no more than one commercial financing transaction, or no more than five commercial financing transactions that are incidental to the business of the covered provider.15

Implications for Commercial Finance Providers

California’s new prohibition on UDAAP for commercial financing matters to any covered provider that offers or provides commercial financing or related financial products or services to any business that is a “covered entity” under the rule.

The new UDAAP rule authorizes the DFPI to bring enforcement proceedings against any covered provider that violates the regulations, and enables the DFPI to impose penalties, which include rescission or reformation of contracts, refund of moneys or return of real property, limits on activities or functions, and monetary penalties which can range from $2,500 per violation (or $5,000 per day) for any violation to $25,000 per violation (or $1,000,000 per day) for a knowing violation.16 The DFPI’s ability to initiate a civil action for violation of the UDAAP prohibition is subject to the Consumer Financial Protection Law’s four-year statute of limitations, starting from the date of the discovery of the violation.17

Importantly, as the DFPI has not yet initiated any action enforcing the commercial UDAAP rule, and has not offered specific interpretive guidance in addition to its Initial Statement of Reasons, it remains to be seen how the UDAAP prohibitions will be implemented in practice given their consumer-specific origins. For example, it is not necessarily clear how the “deceptive” standard will be applied to determine that a covered entity has been “mislead” on an organizational level, compared to a more straightforward showing that an individual consumer was or was likely to be mislead, or how the reasonableness of an entity’s interpretation of an act or practice will be assessed. Similarly, it is unclear how a claim of abusive acts or practices would be interpreted if the DFPI attempts to show an act interfered with the ability of an entire covered entity to understand a term or condition of commercial financing or that the entity as a whole lacked understanding of the risks, costs, or conditions of the commercial financing, compared to such a claim with respect to an individual consumer.

As this new rule continues to be analyzed and interpreted in the coming months and years, it is important that any entity that could qualify as a covered provider understand how this rule will impact its business, its customers, and the industry. In the short term, to mitigate risk of violating the commercial financing UDAAP prohibition, it may be advisable to effectively treat covered entity recipients of commercial financing as if they were consumers in terms of disclosures, informed consent, communications, and other requirements consistent with the California Consumer Financial Protection Law. As with consumer financial products and services, covered providers offering commercial financing to covered entities should regularly evaluate their products - and the way they are being offered - for potential UDAAP violations. This can include:

  • ensuring material terms are clearly disclosed on commercial financing applications and agreements;
  • providing covered entities the opportunity to review and negotiate terms so that it can be shown they had the opportunity to understand them and protect their interests;
  • obtaining written consents from covered entity representatives acknowledging their understanding of the transaction and opportunity to seek advice from counsel before consummating;
  • and updating internal policies and procedures with respect to commercial financing so that they are designed to avoid activities or outcomes that may be deemed unfair, deceptive, or abusive under California law.

We will continue to monitor developments regarding the DFPI’s implementation of the UDAAP prohibitions on commercial financing, including any enforcement actions or interpretive guidance that may help refine covered providers’ understanding of the new rule.


[1] Cal. Code Regs. tit. 10 §§ 1060-1062.

[2] Cal. Code Regs. tit. 10 § 1060(d).

[3] Cal. Code Regs. tit. 10 § 1060(i).

[4] Cal. Code Regs. tit. 10 § 1060(e); Cal. Fin. Code § 90002

[5] Cal. Code Regs. tit. 10 § 1060(b); Cal. Fin. Code § 22800(d).

[6] Cal. Code Regs. tit. 10 § 1060(g); Cal. Fin. Code § 90005(k).

[7] Cal. Code Regs. tit. 10 §§ 1060(d)(2), 1060(i); Cal. Fin. Code § 22800(d)(2).

[8] See 12 USC § 5531.

[9] Cal. Code Regs. tit. 10 § 1061(b).

[10] Cal. Code Regs. tit. 10 § 1061(c).

[11] Cal. Code Regs. tit. 10 § 1061(d).

[12] Cal. Code Regs. tit. 10 § 1062(c).

[14] Cal. Code Regs. tit. 10 § 1062(d).

[15] Cal. Code Regs. tit. 10 § 1062(a).

[16] Cal. Fin. Code § 90012.

[17] Cal. Fin. Code § 90014(a).

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their