InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders mental health service company to pay for privacy and data violations
On April 15, the FTC released its administrative complaint and joint stipulated order against a mental health service provider, requiring the provider to pay a total of more than $7 million, including $5.1 million for consumer refunds and $2 million in civil penalties. According to the complaint, the defendant collected sensitive personal health information and sold online mental healthcare treatments (i.e., telehealth) through its website to “hundreds of thousands” of patients between 2021 to 2022. The FTC alleged the mental health service provider had engaged in deceptive and unfair practices relating to the marketing of its data security practices, like failing to disclose material items, failing to obtain consumers’ express informed consent, and failing to implement adequate data security measures. In addition, the FTC alleged that the provider misled consumers about its cancellation of services, including failure to provide a mechanism to stop recurring charges. The FTC’s complaint specifically found that the company misrepresented how it would use and disclose patients’ personal information, mishandled and exposed “hundreds of thousands” of personal information, and failed to provide a means to cancel subscriptions. The FTC charged the defendant with violating Section 5 of the FTC Act covering deceptive privacy practices, deceptive data security practices, unfair privacy and data security practices, and deceptive cancellation practices – allegedly violating the Opioid Act, and violating the Restore Online Shoppers’ Confidence Act (ROSCA).
In the joint stipulated order, although the defendant neither admitted nor denied these allegations, the judgment prohibited the defendant from disclosing any covered information to any third party for advertising purposes, disclosing any covered information to an outside party without obtaining a consumer’s affirmative express consent, and misrepresenting its cancellation policies. The order also required the defendant to implement stronger protections of the private information of individuals and initiate regular assessments of its data security practices. The court ordered the defendant to pay $5,087,252 as monetary relief to consumers and a civil money penalty of $10 million, which the FTC agreed to suspend in exchange for a payment of $2 million, based on the defendant’s inability to pay the full civil money penalty.
Democratic senators pen letter to trade org. that brought suit against CFPB’s credit card late fee rule
On April 14, two Democratic senators, Sen. Elizabeth Warren (D-MA) and Sen. Sheldon Whitehouse (D-RI), wrote a letter to the head of a commercial trade organization that brought a lawsuit against the CFPB, challenging the CFPB’s rule capping credit card late fees. As previously covered by InfoBytes, the trade organization and other business groups sued the CFPB, challenging its recent final rule limiting most credit card late fees to $8. The senators wrote that the trade organization’s decision to sue was “outrageous and unwarranted” as the senators sought an explanation for the opposition.
The senators stated that the lawsuit was “frivolous,” and argued that the trade organization neglected “Main Street businesses” and instead was “doing the dirty work of its big bank members” who charged these high fees. Bolstering their position that the rule would cover large credit card issuers only, the senators noted that the rule would be expected to apply to less than one percent of the 4,000 financial institutions offering credit cards. Further, the senators argued that this lawsuit was a pattern of the trade organization representing the interests of large corporations, citing a report that found that only 23 of the 28 million small businesses in the U.S. benefited from the trade organization’s litigation. In seeking an explanation, the senators requested answers to a series of questions, including “How did [the trade organization] reach the decision to sue the CFPB to stop the agency from putting this rule in place?” and “Has the [trade organization] conducted an economic analysis of how the CFPB proposal would impact its members?”
FTC amends the TSR on recordkeeping and prohibiting misrepresentations
On April 16, the FTC issued a final rule amending the Telemarketing Sales Rule (TSR) to add requirements for telemarketers to maintain transaction records, prohibit misrepresentations, and add a new definition for “previous donor” in the context of robocalls on behalf of charitable organizations. This will be the fifth time the TSR has been amended since its enactment in 1995, with previous amendments creating the National Do Not Call Registry in 2003, prohibiting sellers to use prerecorded messages (i.e., robocalls) in 2008, banning debt relief services from requiring an advance fee in 2010, and most recently, barring certain payment mechanisms used in fraudulent transactions in 2015. The FTC’s new amendments to the TSR will require telemarketers to retain a copy of each prerecorded message, call detail records, records to show an established business relationship, records on charitable donations and the do-not-call registry. On the rule’s efforts to prohibit misrepresentations, marketers will be prohibited from making misrepresentations about the good or service they are selling or false statements to induce a charitable contribution. The final rule also will update the definition of “previous donor” to allow telemarketers to place robocalls on behalf of a charity only to customers who have donated to a charity within the previous two years. The amendment will go into effect on May 16 with mandatory compliance beginning October 16.
FTC issues NPRM to extend TSR coverage for inbound calls on elder fraud
On April 16, the FTC published an NPRM for the Telemarketing Sales Rule (TSR) in the Federal Register to extend the TSR’s coverage to inbound telemarketing calls by consumers to include technical support service – i.e., calls that consumers would make in response to an advertisement. The FTC noted this extension of the TSR would allow the FTC to “obtain stronger relief,” such as civil penalties and consumer redress, when consumers would be affected by tech support scams. The FTC argued that this proposed expansion of the TSR would be necessary given the rise in consumer complaints regarding tech support scams, explaining that consumer complaints rose from 40,000 complaints in 2017 to nearly 115,000 complaints in 2021. Additionally, the FTC explained that in 2018, consumers reported losses totaling over $55 million from these scams and noted that the scams disproportionately affected consumers over 60 years old. The proposed rule would define technical support services as a program or service that would be marketed to repair, maintain or improve the performance and security of electronic devices. The FTC explained that this broad definition will be necessary because scammers purport to offer such services as they evolve with changes to technology and consumer behavior; additionally, scammers would aim to profit from a consumer’s problems or unfamiliarity with technology. In sum, the proposed rule would add “tech support services” to the list of categories excluded from the TSR exemptions for inbound calls, specifically when such calls are in response to an advertisement “through any medium”; this exclusion will also extend to inbound calls in response to “a direct mail solicitation” including email. The FTC will seek comments on its proposed rule, including on nine specific questions, and comments must be received by June 17.
CFPB finalizes rule to change its supervision designation procedures for nonbanks
On April 16, the CFPB issued a procedural rule to change how the Bureau will designate nonbanks for supervision. Under the CFPA, the CFPB was authorized to supervise a nonbank covered person if the Bureau had reasonable cause to determine if the nonbank covered person was engaged in financial services-related conduct that posed a risk to consumers. In 2013, the CFPB issued a rule providing procedures to govern supervisory designation proceedings under this authority; in 2022, the CFPB published a final rule amending the procedural rule to allow it to publicize its resolution of any contested designation proceeding (covered by InfoBytes here). In late February 2024, the CFPB transitioned to a new organizational structure for its supervision and enforcement work, and this rule will reflect the technical changes of the new structure in the context of supervisory designation proceedings.
According to the Bureau, there were small differences between two separate provisions under the 2013 rule that allowed nonbanks to consent to the CFPB’s exercise of supervisory authority. The new procedural rule will combine these provisions and clarify a few points of distinction from the two original provisions, including (i) a consent agreement does not constitute an admission; and (ii) supervision durations following consent agreements can be negotiated on a case-by-case basis, instead of applying a default duration of two years.
Regarding the Supervision Director’s notice of reasonable cause, the rule will expand the possible methods of delivery to include other methods that are “reasonably calculated to give notice.” Additionally, the rule states that the initiating official may withdraw a notice, and that they may file a written reply to the notice recipient’s response, neither of which was not contemplated under the previous rule. The Bureau said these changes could allow for more transparency in the decision-making process.
Concerning a supplemental oral response, the Bureau noted under the previous rule, a respondent nonbank entity presented supplemental oral responses to the Associate Director for Supervision, Enforcement, and Lending. In light of the elimination of the Associate Director position pursuant to a recent reorganization that split the Division of Supervision, Enforcement, and Fair Lending into a Division of Enforcement and a Division of Supervision, the rule provided that the Director of the Bureau will assume the Associate Director’s adjudicative roles and supervision-related functions. Therefore, the Director will be responsible for issuing a decision and order subjecting an entity to the Bureau’s supervision or terminating a proceeding.
The rule further stipulated that (i) an additional time limit for mail and delivery services are no longer warranted, since email would be “generally instantaneous”; (ii) there will be a 13,000-word limit for the proceeding filings; (iii) any changes to time or word limits can be decided between the initiating official and the respondent with a notice to the Director and will be subject to change by the Director.
Regarding the confidentiality of proceedings, the rule maintained a process for the CFPB to decide whether to publicly release final decisions and orders, including orders entered as a result of respondent failing to file a response and therefore defaulting. The Bureau did note, however, consent agreements entered into between the initiating official and the respondent will not be subject to public release under the rule.
The rule also established an issue exhaustion requirement, requiring respondents to raise arguments they have in their written response to the Bureau to avoid waiving the argument in future proceedings. The Bureau will invite public comments which must be submitted 30 days after publication in the Federal Register, although the rule will be exempt from the notice-and-comment rulemaking requirements under the APA as a rule of agency organization, procedure, or practice. The rule will be effective upon publication to the Federal Register, and it will apply to proceedings pending on the effective date, unless the Director determined that it will be “not practicable.”
District Court grants bank a MSJ in overdraft fee class action case
On April 16, the U.S. District Court for the Eastern District of Michigan entered an opinion and order granting defendant bank’s motion for summary judgment in an overdraft fee-related consumer class action. In this case, plaintiffs claimed that defendant breached its account agreements in connection with two related but distinct practices that the plaintiffs claimed were inconsistent with their account agreement. The first practice involved the assessment of overdraft fees on transactions that were initially authorized with a positive balance but settled at a time when the account had a negative balance, labeled Authorize Positive, Purportedly Settle Negative transactions (APPSN). The second practice imposed insufficient fund (NSF) fees each time the same item was re-presented by a merchant and declined by the bank due to a lack of funds. The complaint alleged a breach of contract and conversion against the bank based on these two fee practices.
In a previous order in 2021, the court denied defendant’s motion to dismiss as to plaintiff’s breach of contract claim but granted dismissal as to plaintiff’s conversion claim. In denying the motion to dismiss the breach of contract of claim, the court determined the account agreement was ambiguous as to the overdraft fees since it was unclear whether defendant would assess overdraft fees at the time of a debit's authorization or at the time of its settlement. The court held that the account agreement was similarly ambiguous as to the NSF fees, since the agreement’s language lent itself to multiple reasonable interpretations of the meaning of “item.”
In the current opinion, the court held that the language of the updated disclosure guide provided to the plaintiff removed the perceived ambiguity in the contractual language, finding that plaintiff’s interpretation was “unreasonable because it contradict[ed] the language of the [a]greement as a whole, including the updated disclosure guide.” The court explained that the updated disclosures made it clear that customers could still incur an overdraft fee if their balance goes negative before a debit authorization hold would be lifted and the actual transaction settled, despite having a positive balance at the time the hold was placed. The court highlighted that the new disclosure guide included a practical example demonstrating the impact of a temporary debit authorization hold on an account’s available balance.
Further, the court noted that even if the agreement was ambiguous, plaintiff would still be unsuccessful in pursuing her breach of contract claim because it had been established that she did not actually read the specific contract terms in question. The court noted, under Michigan law, there cannot be a factual question as to the meaning of a contract where one party had not read the contract to form a different understanding of the contract. The court applied a similar analysis to dismiss the allegations relating to the NSF fees. Finally, the court held that plaintiff failed to demonstrate a genuine issue of material fact regarding her claim of breach of an implied covenant of good faith and fair dealing because the applicable fees were contemplated by the parties’ agreement.
Maine amends processes regarding sale of foreclosed properties for nonpayment of taxes
On April 16, the Governor of Maine signed into law HP 1452 (the “Act”), which will amend the selling processes for foreclosed properties, specifically when a property is being foreclosed upon following a failure to pay taxes. The Act will provide that any money returned to the former owner of a property pursuant to a foreclosure sale due to nonpayment of taxes will be exempt from attachment to claims for a period of 12 months. The Act will also amend the form notice provided for impending foreclosure due to nonpayment of taxes to read “[i]f the tax lien forecloses, the municipality will own your property and may sell it and return excess sale proceeds to you.” Under the sale of foreclosed properties, the Act also added a definition of “tax-acquired property,” defined to mean any real property taken by a municipality for nonpayment of property taxes. The Act added requirements outlining the sale process, amending some payment and notice requirements and adding that a seller must provide a written accounting record of the amount of excess sale proceeds at the former owner’s request. Of interest, Section 4-A of the Act noted that if a real estate broker or agent failed to sell the property within a year, or the municipality failed to contract with a real estate broker or agent after three attempts, then the municipal officers may sell the property in any authorized manner and return the proceeds to the former owner. There are additional provisions adding requirements for receipts and notices, as well as on transfer of proceeds. The Act will go into effect 90 days after the state legislature adjourned, which will be on July 16.
Massachusetts’ attorney general issues AI guidance related to state UDAP law
On April 16, the Attorney General for Massachusetts (AG) released an advisory notice on how developers, suppliers and users of artificial intelligence (AI) should avoid “unfair and deceptive” practices to comply with consumer protection laws. The AG noted how AI systems could pose consumer harms, including through bias, lack of transparency, and data privacy issues – since consumers often lack the ability to avoid or test the “appropriateness” of AI systems forced upon them. Chapter 93A of Massachusetts law, the Massachusetts Consumer Protection Act, protected consumers against “unfair and deceptive” practices, the definition of which has changed over time. In addition to the consumer protection law, the AG highlighted several other state and federal consumer protections, including the ECOA, to bolster her advisory.
The AG’s advisory construed Chapter 93A to apply to AI, clarifying that the following practices may qualify as “unfair or deceptive”: (i) a company falsely advertising the quality of its AI systems; (ii) a company suppling a defective or impractical AI system; (iii) a company misrepresenting the reliability or safety of its AI system; (iv) a company putting an AI system up for sale in breach of warranty, meaning that the system was unfit for the purpose for which it was sold; (v) a company using multimedia content to impersonate or deceive (such as using a deep fake, voice cloning, or chatbots within fraud); (vi) or a company failing to comply with other Massachusetts’ statutes.
Tennessee updates its UCC to amend “money” definition and include CBDCs
On April 11, the Governor of Tennessee signed into law SB 2219 (the “Act”) that amended Section 47-1-201(b) of the Tennessee Code by redefining “money” and codifying “central bank digital currency.” The term “money” was updated to include a new provision that will state that money does not include a central bank digital currency. “Central bank digital currency” will instead be defined as a digital currency issued by a federal reserve, foreign government or foreign reserve system, and will include a digital currency, digital medium of exchange, or digital monetary unit of account processed by the entity. The Act will go into effect on July 1.
Iowa enacts new money transmission provisions
On April 10, Iowa’s governor signed into law HF 2262 (the “Act”) relating to money transmission services. The Act will exempt a person appointed as an agent of a payor for purposes of providing payroll processing services from licensure, provided that their agreement and services meet certain conditions. The Act will also allow the superintendent to suspend or revoke a licensee’s license, should they, among other things: (i) violate the Act; (ii) fail to cooperate with an examination or investigation conducted by the superintendent; (iii) engage in willful misconduct or blindness and, which leads to a conviction of an authorized delegate for violating a state or federal anti-money laundering statute, or violates the Act, a rule adopted under the Act, or an order issued under the Act; or (iv) engage in an unsafe or unsound practice. Further, the Act will detail different scenarios in which the superintendent may pursue an enforcement action. For instance, if the superintendent determined any violations were “likely to cause immediate and irreparable harm to the licensee, the licensee’s customers, or the public, or cause insolvency” the superintendent may issue a cease and desist order. Finally, the Act will provide guidelines for investigations, civil penalties, criminal penalties, and administrative proceedings. The Act became effective upon enactment and will apply retroactively to July 1, 2023.