InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a proposed class action alleging a defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting her biometric data and disclosing the data to a third-party vendor without first obtaining her consent. According to the plaintiff, the defendant introduced a biometric-collection system that required employees to scan their fingerprints in order to access pay stubs and computers shortly after she began her employment in 2004. Under BIPA (which became effective in 2008), section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining “a person’s biometric data without first providing notice to and receiving consent from the person,” whereas Section 15(d) provides that private entities “may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” While the plaintiff asserted that the defendant did not seek her consent until 2018, the defendant argued, among other things, that the action was untimely because the plaintiff’s claim accrued the first time defendant obtained her biometric data. In this case, defendant argued that plaintiff’s claim accrued in 2008 after BIPA’s effective date. Plaintiff challenged that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.” The U.S. District Court for the Northern District of Illinois agreed with the plaintiff but certified its order for immediate interlocutory appeal after “finding that its decision involved a controlling question of law on which there is substantial ground for disagreement.”
The U.S. Court of Appeals for the Seventh Circuit ultimately found that the parties’ competing interpretations of claim accrual were reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The question certified to the high court asked whether “section 15(b) and (d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]”
The majority held that the plain language of the statute supports the plaintiff’s interpretation. “With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub,” the high court said. The majority rejected the defendant’s argument that a BIPA claim is limited to the initial scan or transmission of biometric information since that is when the individual loses the right to control their biometric information “[b]ecause a person cannot keep information secret from another entity that already has it.” This interpretation, the majority wrote, wrongfully assumes that BIPA limits claims under section 15 to the first time a party’s biometric identifier or biometric information is scanned or transmitted. The Illinois Supreme Court further held that “[a]s the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’” However, the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” adding that because “we continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature, . . . [w]e respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
The dissenting judges countered that “[i]mposing punitive, crippling liability on businesses could not have been a goal of [BIPA], nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” “Indeed, the statute’s provision of liquidated damages of between $1000 and $5000 is itself evidence that the legislature did not intend to impose ruinous liability on businesses,” the dissenting judges wrote, cautioning that plaintiffs may be incentivized to delay bringing claims for as long as possible in an effort to increase actionable violations. Under BIPA, individuals have five years to assert violations of section 15—the statute of limitations recently established by a ruling issued by the Illinois Supreme Court earlier this month (covered by InfoBytes here).
OFAC issues sanctions compliance guidance for transactions related to Syrian earthquake disaster relief
On February 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions compliance guidance for authorized transactions related to Syrian earthquake disaster relief. The OFAC Compliance Communique: Guidance on Authorized Transactions Related to Earthquake Relief Efforts in Syria responds to questions from nongovernmental organizations and the general public on how to provide assistance and funding to earthquake relief efforts in Syria that would otherwise be prohibited by the Syrian Sanctions Regulations. As previously covered by InfoBytes, earlier in February, OFAC issued Syria General License (GL) 23 to authorize certain transactions ordinarily prohibited by OFAC sanctions. Among other things, GL 23 informed U.S. financial institutions and U.S. registered money transmitters that they “may rely on the originator of a funds transfer with regard to compliance” for transactions related to earthquake relief efforts in Syria, provided that the financial institution does not know or have reason to know that the funds transfer is not related to such efforts.
Treasury official warns that the cost of doing business with Russia is steep
On February 21, Deputy Secretary of the Treasury Wally Adeyemo discussed sanctions efforts and export controls taken by a coalition of more than 30 nations over the past year to immobilize the majority of Russia’s sovereign wealth and central bank assets. Adeyemo noted that the breadth of this coalition will enable Russia’s continued isolation, and emphasized that those nations that fail to implement these sanctions and export controls will be forced to choose between their economic ties with the coalition and providing material support to Russia. Recognizing that the Russian government is actively seeking ways to circumvent these sanctions, Adeyemo laid out the coalition’s plan to countering sanctions evasion, as follows: (i) “improve information sharing and coordination among our allies, as well as share additional information with firms in our countries to garner their assistance in preventing countries, companies, and individuals from providing material support to Russia”; (ii) take measures to identify and shut down the specific channels used by Russia to equip and fund its military; and (iii) apply pressure on companies and jurisdictions known to allow or facilitate sanctions evasions. Adeyemo warned that “[o]fficials from the U.S. and the governments of our coalition partners are also engaging with companies and banks in these jurisdictions to tell them directly that if they do not enforce our sanctions and export controls, we will cut them off from access to our markets and financial systems.” He added that the “cost of doing business with Russia in violation of our policies is a steep one, and companies and financial institutions should not wait for their governments to make the decision for them.”
Treasury official highlights fintech, crypto assets, and cloud services challenges
On February 15, Treasury Assistant Secretary for Financial Institutions Graham Steele delivered remarks before the Exchequer Club of Washington, D.C., during which he discussed the U.S. Treasury Department’s financial institutions agenda on fintech, cryptocurrency, and cloud service providers. Stating that “significant potential exists to harness the underlying technology in fintech, digital assets, and cloud services adoption,” Steele cautioned that there exist common risks across these spaces related to inadequate oversight, excessive concentration, and consumer harms.
With respect to nonbanks and fintech, Steele noted that participation by nonbanks in financial services is a key priority for Treasury. He commented that while nonbanks add diversity and competition pressure to consumer finance markets, they “have largely not been subject to the kind of comprehensive regulation and supervision to which banks are subject,” which has created numerous “risks related to regulatory arbitrage, data privacy and security, bias and discrimination, and consumer protection, among others.” Steele highlighted recent Treasury recommendations primarily focused on using existing authorities held by the federal banking regulators and the CFPB as a way to coordinate supervision of bank-fintech partnerships and credit underwriting models. Another area of concern, Steele noted, are big technology firms—those that generally seek to enter the consumer finance market via relationships with banks and third-party fintech firms, and who avoid prudential regulation, supervision, and risk-management requirements that would apply if they offered banking services. “Big Tech firms may have incentives to leverage their existing commercial relationships, consumer data, and other resources to enter new markets, expand their networks and offerings, and scale rapidly to achieve capabilities that others—including depository institutions—do not have and cannot replicate,” Steele said.
Steele also touched on Treasury’s objectives for crypto assets, in which he referred to several studies examining “the potential financial stability implications of crypto-asset activities” and the risks and opportunities they might present to consumers, investors, and businesses. He also addressed concerns about misleading claims and representations in this space (for example, with respect to the availability of deposit insurance) and noted that there exist several gaps in existing authorities over crypto assets. Finally, Steele discussed a recent Treasury report, which examined potential benefits and challenges associated with the adoption of cloud services technology by financial services firms (covered by InfoBytes here).
District Court allows FTC suit against owners of credit repair operation to proceed
On February 13, the U.S. District Court for the Eastern District of Michigan denied a motion to dismiss filed by certain defendants in a credit repair scheme. As previously covered by InfoBytes, last May the FTC sued a credit repair operation that allegedly targeted consumers with low credit scores promising its products could remove all negative information from their credit reports and significantly increase credit scores. At the time, the court granted a temporary restraining order against the operation for allegedly engaging in deceptive practices that scammed consumers out of more than $213 million. The temporary restraining order was eventually vacated, and the defendants at issue (two individuals and two companies that allegedly marketed credit repair services to consumers, charged consumers prohibited advance fees in order to use their services without providing required disclosures, and promoted an illegal pyramid scheme) moved to dismiss themselves from the case and to preclude the FTC from obtaining permanent injunctive and monetary relief.
In denying the defendants’ motion to dismiss, the court held, among other things, that “controlling shareholders of closely-held corporations are presumed to have the authority to control corporate acts.” The court pointed to the FTC’s allegations that the individual defendants at issue were owners, officers, directors, or managers, were authorized signatories on bank accounts, and had “formulated, directed, controlled, had the authority to control, or participated in the acts and practices set forth in the complaint.” The court further held that the FTC’s allegations raised a plausible inference that the individual defendants have the authority to control the businesses and demonstrated that they possessed, “at the most basic level, ‘an awareness of a high probability of deceptiveness and intentionally avoided learning of the truth.’”
The court also disagreed with the defendants’ argument that the permanent injunction is not applicable to them because they have since resigned their controlling positions of the related businesses, finding that “[t]his development, if true, does not insulate them from a permanent injunction.” The court found that “the complaint contains plausible allegations of present and ongoing deceptive practices that would authorize the [c]ourt to award a permanent injunction ‘after proper proof.’” In addition, the court said it may award monetary relief because the FTC brought claims under both sections 13(b) and 19 of the FTC Act and “section 19(b) contemplates the ‘refund of money,’ the ‘return of property,’ or the ‘payment of damages’ to remedy consumer injuries[.]”
FTC launches Office of Technology
On February 17, the FTC launched a new Office of Technology to strengthen the agency’s ability to keep pace with technological challenges in the digital marketplace. The Office of Technology will support the FTC’s enforcement and policy work, and will be headed by Chief Technology Officer Stephanie T. Nguyen who said it is a “vital time to strengthen the agency’s technical expertise and meet the quickly evolving challenges of the digital economy.” Specifically, the Office of Technology will (i) strengthen and support law enforcement investigations into business practices and the underlying technologies by “helping to develop appropriate investigative techniques, assisting in the review and analysis of data and documents received in investigations, and aiding in the creation of effective remedies”; (ii) work with FTC staff and the Commission on policy and research initiatives to provide technological expertise on non-enforcement actions; and (iii) engage with the public and external stakeholders on market trends and emerging technologies that impact agency work. “Our office of technology is a natural next step in ensuring we have the in-house skills needed to fully grasp evolving technologies and market trends as we continue to tackle unlawful business practices and protect Americans,” FTC Chair Lina Khan said.
NCUA approves final cyber incident reporting rule
On February 16, the NCUA approved a final rule that requires federally-insured credit unions (FICUs) to notify the agency as soon as possible (and no later than 72 hours) after a FICU “reasonably believes that a reportable cyber incident has occurred.” Specifically, the rule requires FICUs to report cyber incidents that lead “to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Under the rule, FICUs must report any cyberattacks that disrupt their business operations, vital member services, or a member information system within 72 hours of the FICU’s “reasonable belief that it has experienced a cyberattack.” The NCUA explained that the 72-hour notification requirement provides an early alert to the agency but that the rule does not require the submission of a detailed incident assessment within this time frame. The final rule takes effect September 1. Additional reporting guidance will be provided prior to the effective date.
“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” NCUA Chairman Todd M. Harper said. Harper further explained that “[t]his final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”
OCC revises guidance on change in bank control
On February 16, the OCC released an updated version of the “Change in Bank Control” booklet of the Comptroller’s Licensing Manual. According to OCC Bulletin 2023-7, the revised licensing booklet—which outlines OCC policies and procedures regarding filings by persons who wish to acquire control of a national bank or federal savings association “through the purchase, assignment, transfer, pledge, exchange, succession, or other disposition of voting stock”—removes references to outdated guidance, provides current references to relevant guidance, and makes other minor modifications and corrections throughout. The booklet applies to all national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
2nd Circuit says collection letter sent on law firm letterhead did not violate FDCPA
On February 13, the U.S. Court of Appeals for the Second Circuit affirmed summary judgment in favor of a defendant law firm accused of violating the FDCPA when it sent the plaintiff a collection letter on law firm letterhead. The plaintiff claimed both that the letter overshadowed her validation notice by failing to advise her that her validation rights were not overridden because her account had been placed with a law firm and that the letter falsely implied it was a communication from an attorney even though no attorney was meaningfully involved in collecting the debt, which courts have found is prohibited under the FDCPA. The district court granted summary judgment to the defendant on both grounds. The district court held that “because there was meaningful attorney involvement in the collection of plaintiff’s debt,” the letter was not required to include a disclaimer regarding the lack of attorney involvement in the debt collection effort. Additionally, the district court held that because the letter did not refer to any consequences should the plaintiff fail to repay the outstanding debt, “the mere fact that [the] Collection Letter is printed on law firm letterhead does not, by itself, imply an immediate threat of legal action overshadowing a validation notice in violation of the FDCPA.” The plaintiff appealed.
In affirming the grant of summary judgment, the appellate court rejected the plaintiff’s argument that, because several of the steps the attorney supposedly followed were “performed by non-attorneys,” were “automated,” or could have been completed in a minimal amount of time, there was not meaningful attorney involvement. According to the 2nd Circuit, even if these facts were true, they did not refute the attorney’s “statement that he conducted a meaningful legal analysis of [plaintiff’s] account and ‘formed an opinion about how to manage [the] case.’” “We have never established a specific minimum period of review time to qualify as meaningful attorney involvement, and the only function that [plaintiff] has identified that [defendant] did not perform before approving the letter was establishing a specific plan to sue in the event of non-payment.” Consequently, the appellate court concluded that the FDCPA did not require the defendant to provide a disclaimer in its initial collection letter to the plaintiff.
Massachusetts AG reaches $6.5M settlement over deceptive auto-renewal and collection practices
The Massachusetts attorney general recently reached a $6.5 million settlement with a home security services company, its sister companies, and its CEO to resolve allegations that the defendants violated Massachusetts consumer protection laws by trapping customers in auto renewal contracts and engaging in illegal debt collection practices. The final judgment by consent, filed in Suffolk County Superior Court, resolves a 2019 lawsuit alleging the defendants engaged in unfair and deceptive tactics to prevent customers from canceling their contracts, charged for services during system outages or for services that were never provided, steered customers into contract renewal instead of cancellation, and engaged in aggressive and illegal debt collection practices. Under the terms of the settlement, the defendants are required to pay $1.8 million and waive and forgive $4.7 million of outstanding customer debt. Although they denied the allegations, the defendants have agreed to implement changes to their business practices, including taking measures to come into compliance with the attorney general’s debt collection regulations, offering credits to customers who purchased non-functional systems that cannot be repaired, implementing new complaint procedures, and permitting existing customers to cancel their contracts by telephone, email, and web portal. Additionally, the defendants will make several revisions to the terms of their contracts relating to auto-renewal practices, monitoring charges, cancellation policies and procedures, late fees and other costs.