InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Bank to pay $18 million for violating a whistleblower protection rule
On January 16, the SEC accepted a global financial services firm’s offer of settlement to resolve allegations of violations of the whistleblower protection rule, which prohibits any action that might impede an individual from communicating with the SEC about securities law violations. According to the SEC, from March 2020 through July 2023, the firm asked clients to sign a confidential release if they were issued a credit or settlement from the firm of more than $1,000. The release required clients to “promise[] not to sue or solicit others to institute any action or proceeding against [respondent] arising out of events concerning the [a]ccount.” The SEC claimed that at least 362 clients have signed the release since 2020. In connection with the settlement, the firm agreed to be censured, to cease and desist further violations of the rule, and to pay an $18 million civil money penalty.
Texas resolves securities fraud case with decentralized finance lending platform
Recently, a decentralized finance crypto lending platform and its owners (respondents) entered into a settlement agreement with a Texas regulatory agency, resolving an emergency cease-and-desist action brought in June 2023. The Texas State Securities Board alleged that respondents committed securities fraud in connection with the offers and sales of investments, falsely denied the platform’s impending bankruptcy, and “secretly” transferred customer funds to a crypto exchange, as well as offered unregistered securities. Under the terms of the settlement, respondents have agreed to, among other things, (i) inform clients of its plan for asset return within seven days of the settlement and provide a seven-day window for clients to withdraw assets through the app; (ii) continue to provide customer support to prior customers; (iii) pay an administrative fine; and (iv) cease-and-desist from selling unregistered securities in the state without admitting or denying the allegations. Texas also agreed to dismiss its emergency cease-and-desist order as part of the settlement.
Colorado Attorney General fines debt collector $500,000 for collecting on illegal loans
On January 16, the Colorado State Attorney General (AG) reached a settlement agreement with a third-party debt collection company that is ordered to pay $500,000 to the State. The company previously contracted to collect debt from consumers on behalf of unlicensed lending entities associated with Native American tribes, or Tribal Lending Entities (TLEs). According to the settlement agreement, none of the TLEs were licensed Colorado lenders and all of their loan agreements with consumers contained finance charge terms that exceeded the Uniform Consumer Credit Code’s 12 percent finance charge cap on unlicensed lenders—with most having interest rates that exceeded 500 percent APR and some up to 900 percent APR. The AG alleged that, between 2017 and 2022, the company violated the Colorado Fair Debt Collection Practices Act by using “unfair or unconscionable means” to collect on defaulted TLE-issued loans by representing to consumers that the entire loan balance was owed to the TLEs, that the company was legally authorized to collect the payments, and that consumers were legally obligated to pay the full amount. The company denies that its conduct violated any state law and otherwise denies all allegations of wrongdoing. Along with the penalty, the company will be barred from collecting on any debt where the loan’s APR exceeded the 12 percent cap and will provide the State with a list of affected consumers within 30 days.
Fed’s OIG report on CFPB says training improvements needed to meet enforcement goals
Recently, the Office of Inspector General of the Federal Reserve Board released a report assessing the CFPB’s process for conducting enforcement investigations. The report makes two key recommendations. First, noting that the CFPB has not met its stated goal to file or settle 65 percent of its enforcement actions within two years, the OIG recommended that the CFPB Office of Enforcement incorporates the timing expectations for key steps in the enforcement process into the tracking and monitoring of matters. In addition, the Office of the Inspector General also recommended improvements to enforcement staff training on document maintenance and retention requirements for the CFPB’s matter management system. The report states that the recommendations were accepted by the CFPB, with a follow-up to ensure full implementation.
FTC bans data aggregator company from selling consumer data
On January 18, the FTC issued a complaint against a digital platform and data aggregator (the company) and ordered the company to no longer sell or license precise location data, among other requirements. As previously covered by InfoBytes, the FTC’s order followed a recent FTC decision against a data broker in which the FTC alleged the data broker’s contracts were “insufficient to protect consumers from the substantial injury” caused by location data collection as consumers visited sensitive locations, such as churches, healthcare facilities, and schools.
In this case, the company obtained large amounts of personal data on consumers’ demographic data, movements, and purchasing history and retained that information for five years. The company had applications and third-party apps that have been downloaded over 390 million times, leading to about 100 million unique devices sending location data each year to the company. Like the previous FTC order, this FTC order alleged the company collected sensitive information on where consumers live, work, and worship; where their children went to school; where they received medical treatment; and if they attended rallies or demonstrations. The FTC alleged that the company cross-references consumers’ data location histories with points of interest to advertisers, including offering a push notification about a product when a consumer is located near a store that sells that product.
The FTC alleged the company failed to notify users that consumers’ location data is used for targeted advertising. Additionally, the FTC alleged the company retains consumer data “longer than reasonably necessary” which the FTC argues could lead to future consumer injury. According to the FTC, these allegations constitute deceptive or unfair practices as prohibited by Section 5(a) of the FTC Act. Under the order, the company must not materially misrepresent how the company collects or uses consumers’ location data, the company must not sell or license location data, and the company must implement a sensitive location data program as proscribed by the order. The company must also delete all historical location data for all consumers which does not affirmatively consent to the continued retention of such data. The company neither admits nor denies any of these allegations.
Student loan servicer fined $1.8 million by Massachusetts Attorney General
On January 11, the Massachusetts Attorney General (AG) announced a $1.8 million settlement with a student loan servicer, to resolve allegations that the company did not properly communicate Income-Driven Repayment (IDR) plan renewals to borrowers. According to the settlement, IDR plans are a “helpful tool for managing unaffordable federal student loan debt and avoiding the consequences of default… [and respondent] is required to follow specific procedures intended to ensure that borrowers are able to successfully navigate the enrollment and annual recertification processes required for IDR.” The AG alleged that the respondent violated state law by sending written notices that did not meet regulatory requirements and failed to send required notices.
Under the terms of the settlement, respondent will (i) pay $1.8 million; (ii) include certain disclosures in renewal notice correspondence to borrowers; (iii) comply with requirements for FFELP loans owned by the DOE and enrolled in certain repayment plans; (iv) clearly disclosure to certain borrowers that failure to timely provide certain information about income or family size will result in increased monthly payments; and (v) retain copies of each written communication that it sends to borrowers regarding their IDR plans. The student loan servicer enters into this agreement for settlement purposes only (without admission).
NYDFS orders digital currency trading company to pay $8 million
On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.
NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty.
OCC releases January enforcement actions
On January 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a notice of charges seeking cease and desist orders against three subsidiary banks of the same bank holding company (see here, here, and here), which alleged that each bank engaged in unsafe or unsound practices relating to an investment strategy concentrated in long-term securities. The unsafe practices, the OCC explained, exposed each bank to excessive interest rate risk without adequate sources of contingency funding and contingency capital. The OCC further alleged that each bank failed to mitigate such risk in a timely manner.
DFPI fines online platform for omitting convenience fee disclosures
On January 9, DFPI issued a consent order against an online platform (respondent) that enables merchants to provide installment contracts to customers. The consent order resolved alleged violations of the California Consumer Financial Protection Law (CCFPL) arising from the convenience fees assessed by a third-party service provider when consumers opt to pay their installments online or by phone. According to the consent order, since 2021 respondent guaranteed that consumers entering into contracts on its platform had a fee-free payment method. However, for a time respondent failed to disclose potential optional convenience fees in the initial contract. Although the third-party servicer disclosed the convenience fees to consumers, DFPI took issue with the respondent’s failure to disclose these fees before transferring consumers to the third-party servicer to enter into the contracts. In other words, consumers only became aware of both the existence and amounts of these fees after entering into contractual obligations. DFPI accused respondent of deceiving consumers by failing to disclose this information first.
Under the terms of the consent order, respondent must pay a $50,000 penalty and must disclose information about the potential convenience fees that may be assessed by a servicer.
Title lender reaches settlement with Pennsylvania AG
On January 10, Pennsylvania AG Michelle Henry announced a settlement with a national auto title lending company, resolving alleged violations of the Pennsylvania Unfair Trade Practices and Consumer Protection Law and the Loan Interest and Protection Law (LIPL). According to the settlement, since 2016, the lender made thousands of vehicle title loans to Pennsylvania residents, with interest rates exceeding 100 percent without the necessary license required by the Consumer Discount Company Act.
The AG also noted that some of the loans resulted from leads that they bought from third parties who purported to have physical offices in Pennsylvania, when in fact, neither the lender nor its lead generators were in Pennsylvania. The AG also said that most Pennsylvania-based borrowers drove to one of the lender’s Delaware locations. Nonetheless, the AG said, “Pennsylvania usury laws apply because [the lender] collected money from Pennsylvania consumers and repossessed vehicles in Pennsylvania.” In the settlement, the lender denies all allegations of unlawful conduct, including the assertion that it knowingly acquired leads from third parties leading to loans for Pennsylvania residents. The lender explained its position that until the U.S. Court of Appeals for the Third Circuit rendered its opinion in another matter in January 2022, it held a “good faith and reasonable belief” based on then-existing law, particularly the Commerce Clause of the U.S. Constitution, that its operations were lawful.
Among other things, the settlement (i) requires the lender to pay $2.2 million in consumer restitution; (ii) requires the lender to cancel approximately $3.7 million in existing loans; (iii) enjoins and prohibits the lender from violating the LIPL; and (iv) requires the lender to return any repossessed vehicles at no charge and refund consumers of all repossession fees previously charged.