HB656 amends KRS 286.9-140 to create a statewide, real‑time database for deferred deposit service licensees and to give the commissioner broad authority to run or contract for that database. The bill establishes operational requirements for licensees and database providers, confidentiality and retention rules for customer data, and an annual reporting requirement.
The measure also formalizes how the state funds the database by authorizing a commissioner‑imposed per‑transaction fee that may be charged to customers, and it builds civil and contract remedies against third‑party operators that misuse the data. The result is a single regulatory tool that increases oversight capacity while adding compliance, privacy, and cost considerations for lenders, vendors, and consumers.
At a Glance
What It Does
The bill requires deferred deposit licensees to use a common real‑time database and to submit specified customer and transaction data before each transaction. It fixes the per‑transaction data submission fee at three dollars ($3), which the commissioner may require be collected and remitted, and empowers the commissioner either to operate the system or to contract with a third‑party provider subject to strict limits on data use and vendor performance.
Who It Affects
Licensed deferred deposit (payday) lenders in Kentucky, any third‑party database operator selected by the department, and consumers who obtain deferred deposit transactions; the Department of Financial Institutions (the commissioner) gains new operational responsibilities and oversight tools.
Why It Matters
Centralizing transaction records creates easier detection of multiple outstanding loans and stronger enforcement data, but it also shifts per‑transaction costs (potentially to consumers), concentrates sensitive personal data in one system, and imposes new vendor and compliance obligations that will affect contracting, procurement, and operations.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
HB656 sets up a mandatory, real‑time central database that deferred deposit service licensees must use to check whether a potential customer has outstanding deferred deposit transactions. Before each deferred deposit transaction, the licensee must submit prescribed identifying and transactional fields (name, Social Security or employment authorization alien number, address, driver’s license, transaction amount and dates, and other items the commissioner may require).
The statute authorizes the commissioner to write implementing regulations and to define formats and additional data elements.
The bill fixes the data‑submission fee at three dollars per transaction and permits that fee to be charged to customers. The commissioner may operate the database directly or select a private vendor.
If a third‑party vendor is retained, the statute requires the department to weigh cost, technical ability, and fraud‑prevention tools, and it constrains the vendor’s permitted uses of the data to those specified in statute and contract. The vendor must hold any collected fees in a separate escrow account and remit them monthly to the department.Operational controls are detailed.
The database must verify eligibility for new transactions and support OFAC/FinCEN compliance checks. It must track complaint and restitution metrics the commissioner requires.
The provider must offer a contingency verification process for licensees when technical issues prevent internet access, secure transmission and storage of customer data, and comply with identity‑theft protections.The bill prescribes lifecycle rules for transactions: the provider must mark a transaction closed immediately upon notification (no later than 11:59 p.m. that day), may auto‑close a transaction five days after maturity unless the licensee timely reports it remains open for enumerated reasons, and must close all open transactions for a licensee that stops offering services sixty days after cessation unless the licensee files and obtains approval for a plan to continue updates. Records in the database are confidential, exempt from Kentucky’s Open Records Act and most discovery, and the commissioner may access archived data only for examinations, investigations, or enforcement.Finally, HB656 gives the commissioner exclusive responsibility for investigating and enforcing the subtitle (the commissioner may not delegate this enforcement role to a third‑party provider), permits licensees to rely on database information without incurring liability for inaccuracies (so long as the licensee submitted required data accurately and promptly), sets archival and deletion timelines (archive within 365 days and delete identifying information on archive; delete customer transaction data three years after close or after any related action concludes), and requires the database provider to file a detailed annual report of transaction volume, outstanding balances, fees collected, and other performance statistics by March 1 each year.
The Five Things You Need to Know
The statute requires licensees to submit key identifying fields—name, Social Security number or employment‑authorization alien number, address, driver’s license number, transaction amount, transaction date, and closing date—into the real‑time database before entering each deferred deposit transaction.
The commissioner must charge a flat $3.00 per transaction for the data submission, and the commissioner may require the database provider to collect that fee from licensees and remit it monthly while holding funds in a separate escrow account.
If the commissioner contracts with a third‑party provider, the vendor may use the data only as the subtitle and contract permit, faces contract termination for violations, and is exposed to civil liability—injured persons can sue the vendor for actual damages plus attorney’s fees and costs.
The database auto‑closes transactions five days after the maturity date unless a licensee reports timely that the transaction remains open for reasons such as nonpayment, clearing, or return for NSF; and when a licensee stops offering deferred deposit transactions, open items auto‑close after 60 days unless the licensee submits an approved continuity plan.
Customer transaction data must be archived within 365 days after close (with identifying information removed on archive) and fully deleted three years after close or three years after any pending administrative, legal, or law‑enforcement action concludes—whichever is later.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Common database and mandatory data submission
This portion requires a common, internet‑accessible database for deferred deposit licensees and obligates licensees to submit specified customer and transaction data into the system before each transaction. Practically, licensees must build or integrate systems to send prescribed fields in the format the commissioner prescribes and ensure real‑time availability for transaction eligibility checks.
Per‑transaction fee
The commissioner is authorized to impose a per‑transaction charge of three dollars ($3) for the data service; the statute explicitly allows that fee to be passed on to customers. The provision also contemplates administrative control over collection mechanics and, when a vendor is used, their role in remitting funds to the department.
Commissioner operation or third‑party contracting and vendor obligations
The statute gives the commissioner the option to operate the database directly or to contract with a private provider, and it lists selection criteria (cost, ability to meet requirements, fraud prevention tools). If contracted, the provider’s use of data is strictly limited to statutory and contractual purposes; violations expose the vendor to contract termination, possible debarment from other state contracts, and civil suits by injured persons. The vendor must keep collected fees in a segregated escrow account and remit them monthly to the department.
Database functionality, security, and transaction lifecycle rules
The database must provide eligibility verification, help licensees meet OFAC/FinCEN obligations, and capture complaint and restitution metrics. It must implement contingency processes for outages, secure data handling, and identity‑theft protections. Transactions must be marked closed promptly when notified; otherwise, the provider auto‑closes five days after maturity unless timely reported by the licensee for specified reasons.
Licensee cessation, closure plans, and disclosure limits
When a licensee stops offering deferred deposit transactions, the provider auto‑closes its open transactions after sixty days unless the licensee files an approved plan to continue database updates. Responses to database inquiries must state only eligibility and the reason for ineligibility, and detailed transaction histories are confidential, exempt from open‑records disclosure, and shielded from most discovery and subpoena except in actions under the subtitle.
Access, enforcement, retention, reliance, and reporting
The commissioner may access the database for investigations and examinations and may not delegate enforcement responsibilities to a vendor. The commissioner can set rules for archival and deletion: archive within 365 days, delete identifying information on archive, and delete transaction data three years after close (or three years after related actions conclude). Licensees may rely on the database as accurate—provided they submitted required data—and the provider must file a detailed annual report on transactions, fees, outstanding balances, charge‑offs, and other metrics.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- State regulator (commissioner/department): Gains a centralized, searchable dataset to detect multiple outstanding loans, monitor industry statistics, and support targeted enforcement and policy development.
- Compliant licensees: Benefit from a single source of truth for eligibility checks, reducing duplicate lending risk and receiving immunity from liability for relying on the database so long as they submit required data accurately and promptly.
- Consumers with exploitation complaints: Gain an enforcement channel and a clearer record trail—statutory tracking of complaint outcomes and restitution provides greater transparency and a civil remedy against vendors that misuse data.
- Policymakers and researchers: Receive structured annual reports with standardized metrics (transaction counts, outstanding volumes, fees, charge‑offs) to assess market size, trends, and policy impacts.
Who Bears the Cost
- Deferred deposit licensees (payday lenders): Face integration and operational costs to submit required fields in real time, procedural changes to report open transactions, and potential customer pushback when the $3 fee is passed through.
- Third‑party database providers: Must meet technical, security, escrow, and legal requirements, accept limits on data use, and bear risk of contract termination and civil liability for violations—raising vendor pricing and contracting complexity.
- Consumers: May bear the per‑transaction $3 fee if licensees pass it on, effectively increasing the cost of deferred deposit credit.
- Department of Financial Institutions (commissioner’s office): Takes on administration, vendor selection, rulemaking, and enforcement workload even as vendor fees flow to the department—implementation will require staff capacity and procurement expertise.
Key Issues
The Core Tension
The central dilemma: HB656 strengthens regulatory oversight by centralizing transaction data and giving the state enforcement tools, but doing so concentrates sensitive consumer data and raises compliance and vendor‑liability costs that may be passed on to the consumers the law seeks to protect; choosing how tightly to restrict vendor use, how much to fund enforcement from fees, and how long to retain records forces trade‑offs between privacy, effectiveness, cost, and market access.
HB656 creates practical and policy tensions that will shape implementation. Concentrating sensitive personal and financial data in a single state database improves detection of abusive borrowing patterns but raises concentrated risk from breaches, insider misuse, and mission creep; the statute limits vendor data use and builds confidentiality protections, but real security depends on procurement, technical design, and oversight.
The civil cause of action and potential debarment deter reckless vendors but may reduce market competition for providers or raise vendor pricing, which in turn could be passed back to licensees or customers.
Operational details are thin in places that matter. The statute leaves key terms—what counts as “accurately and promptly” submitting data, the specific technical standards for identity‑theft protections, the rules for handling disputed transaction records, and how the commissioner will validate vendor OFAC/FinCEN checks—to regulation.
The fixed $3 fee centralizes funding but also invites fee‑pass‑through to consumers; enforcement funding, vendor escrow mechanics, and monthly remittance create accounting and reconciliation points that will require careful administrative procedures. Finally, archival and deletion deadlines balance recordkeeping needs for enforcement against privacy, but three years may be short for complex investigations or civil discovery in related matters outside the subtitle.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.