California Code
ARTICLE 4 - Regulations
Section 22157.1.

22157.1. (a) For purposes of this section:

(1) “Encrypted” has the same meaning as provided in paragraph (4) of subdivision (i) of Section 1798.82 of the Civil Code.

(2) “Remote location” means a personal residence or a temporary, nonpublic location not owned or leased by the licensee or an affiliate of the licensee that is not simultaneously accessible by anyone other than a single employee and individuals who maintain a common household with the employee.

(b) A licensee may designate an employee, when acting within the scope of employment, to perform work on the licensee’s behalf at a remote location if the licensee does all of the following:

(1) Prohibits in-person consumer interactions, including the physical receipt of cash or other monetary value or the disbursement of loan proceeds, at a remote location and does not designate a remote location to the public as a business location.

(2) Prohibits records required pursuant to Section 22156 from being physically mailed to, shipped to, or stored at a remote location except for storage on an encrypted device or encrypted media.

(3) Prohibits the physical receipt of mail related to the licensee’s licensed business at a remote location.

(4) Prohibits a consumer’s personal information from being physically stored at a remote location except for storage on an encrypted device or encrypted media.

(5) Provides an employee working at a remote location with appropriate equipment, which may include encrypted devices, virtual private networks, and similar technology, to perform work and safeguard licensee records and consumer personal information.

(6) Adopts and adheres to appropriate, as determined by the department, written policies and procedures to supervise and maintain appropriate control over the work of employees at remote locations and safeguard the licensee’s records and consumer personal information in connection with work at a remote location, including, but not limited to, all of the following elements:

(A) Employee data security training.

(B) Maintenance of security logs of remote logins.

(C) Procedures designed to detect suspicious logins or attempted logins and to suspend access by potentially compromised accounts or equipment.

(D) Data breach response procedures.

(7) (A) Records telephone calls with consumers conducted from a remote location to the same extent as telephone calls with consumers conducted from licensed locations.

(B) This paragraph does not require telephone call recording if the licensee does not do so in the normal course of business for the employee or business in question.

(8) All books, records, and persons that the commissioner is entitled to examine, inspect, or interview shall be made available to the commissioner at a licensed location.

(Added by Stats. 2022, Ch. 181, Sec. 3. (AB 2001) Effective January 1, 2023.)