InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN renews GTOs covering 12 metropolitan areas
On April 29, FinCEN reissued the renewal of its Geographic Targeting Orders (GTOs). The GTOs require U.S. title insurance companies to identify the natural persons behind shell companies that pay “all cash” (i.e., the transaction does not involve external financing) for residential real estate in the 12 major metropolitan areas covered by the orders. The renewed GTOs are identical to the October 2021 GTOs (covered by InfoBytes here). The purchase amount threshold for the beneficial ownership reporting requirement remains set at $300,000 for residential real estate purchased in the covered areas. The renewed GTOs take effect April 30 and end October 26, and cover certain counties within the following areas: Boston, Chicago, Dallas-Fort Worth, Honolulu, Las Vegas, Los Angeles, Miami, New York City, San Antonio, San Diego, San Francisco, and Seattle.
FinCEN FAQs regarding GTOs are available here.
FinCEN to issue second beneficial ownership NPRM later this year
On April 28, FinCEN acting Director Himamauli Das informed the House Financial Services Committee during a hearing on the oversight of the agency that FinCEN is currently developing a second notice of proposed rulemaking (NPRM) this year proposing “regulations governing access to beneficial ownership information by law enforcement, national security agencies, financial institutions and others.” The NPRM will be published this year and follows a previous proposal to implement the beneficial ownership information reporting provisions of the Corporate Transparency Act (CTA), which addresses who must report beneficial ownership information, when to report it, and what information must be provided (covered by InfoBytes here). In his written testimony, Das stated the agency also plans to issue a third and final proposal revising the Customer Due Diligence (CDD) regulation for financial institutions “no later than one year after the effective date of the final reporting rule,” as required by the statute. “The CTA directs that the revisions should bring the CDD regulation into conformance with the beneficial ownership rules under the CTA and reduce unnecessary or duplicative requirements, among other things,” Das said. “We are considering all options as we develop the Access Rule NPRM, and look forward to receiving public comments on our proposal when it is issued.” Das also noted that FinCEN is currently developing the beneficial ownership database, which will allow users to search and access certain beneficial ownership information. However, Das warned that limited resources “have presented significant challenges to meeting the implementation requirements of [FinCEN’s] expanded mandate under the Anti-Money Laundering Act, including the CTA’s beneficial ownership requirements . . . we are missing deadlines, and we will likely continue to do so.”
EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”
In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.
Connecticut legislature passes consumer data privacy bill
Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
- Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.
If enacted in its current form, the bill would take effect July 1, 2023.
District Court grants class certification in FDCPA suit
On April 27, the U.S. District Court for the Western District of Pennsylvania granted a plaintiff’s motion for class certification in an action against a consumer debt buyer (defendant) for allegedly violating the FDCPA by stating that a judgment may be awarded prior to the expiration of a settlement offer, even though a collection lawsuit was not filed. According to the opinion, the plaintiff received a collection letter from the defendant that offered a “discount program” for his “Legal Collections account without any further legal action,” which had to be accepted within a month. The letter also stated that “[a] judgment could be awarded by the court before the expiration of the discount offer listed in this letter,” despite the fact that at the time the letter was received, there were no pending court cases in which a judgment could be entered against the plaintiff. After receiving the letter, the plaintiff filed suit, alleging that the defendant violated the FDCPA by making false, misleading, and deceptive misrepresentations about the debt. Among other things, the defendant argued that the size of the class would be impossible to ascertain because identifying class members would require individualized inquiries into who received a letter and when. By holding that the FDCPA violation occurred when a letter was sent rather than when it was received, the court rejected the defendant’s argument and ruled instead that individualized inquiry is not necessary. According to the district court, “[r]eviewing this information will, of course, require some level of individualized inquiry. But the need for file-by-file review to identify class members is not fatal to class certification.” The district court further noted that “[c]ourts and parties must be able to determine accrual dates with some degree of certainty,” and “[t[he date of receipt may often be impossible to determine, particularly where the recipient is an individual as opposed to a commercial entity.”
FTC proposes TSR amendments to extend robocall protections
On April 28, the FTC proposed rulemakings to extend protections for small businesses against telemarketing business-to-business schemes and strengthen safeguards to protect consumers from other telemarking scams. Both the notice of proposed rulemaking (NPR) and advance notice of proposed rulemaking (ANPRM) stem from the FTC’s regulatory review of the Telemarketing Sales Rule (TSR) and address public comments received as part of the review.
The NPR proposes to amend TSR recordkeeping requirements to require telemarketers to retain seven new categories of information related to their telemarketing activities, including records concerning each unique prerecorded message, records sufficient to show the established business relationship between a seller and a consumer, records of the service providers used by a telemarketer to deliver outbound calls, and records of the FTC’s Do Not Call Registry that were used to ensure compliance with this rule. Additionally, the NPR seeks comments on whether the FTC should amend the TSR to prohibit material misrepresentations and false or misleading statements in business-to-business telemarketing transactions to prevent harm caused by deceptive telemarketing, and proposes adding a definition of “previous donor” related to charitable donation solicitations.
The ANPRM seeks comments on a range of issues related to whether calls related to tech-support scams should be covered by the TSR, whether telemarketers should be required to provide consumers with a simple click-to-cancel process when they sign up for subscription plans, and whether the TSR should stop treating telemarketing calls made to businesses differently from those made to consumers. According to the FTC, robocalls made to businesses are generally exempt from certain TSR provisions.
Comments on both proposed rulemakings are due 60 days after publication in the Federal Register.
CFPB enters proposed final judgment in TSR and CFPA violation suit
On April 29, the CFPB filed a proposed stipulated final judgment and order in the U.S. District Court for the Central District of California resolving allegations that a student loan debt relief business and a general debt-settlement company, along with their owner and CEO (collectively, “defendants”), engaged in wrongful fee-charging practices and deceptive telemarketing. As previously covered by InfoBytes, the CFPB filed a complaint against the defendants for allegedly violating the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by charging illegal advance fees and using deceptive tactics to induce consumers to sign up for services. According to the complaint, from 2015 to the present, the defendants allegedly charged consumers upfront fees for the debt-relief company to file paperwork with the Department of Education to obtain loan consolidation, loan forgiveness, or income-driven repayment plans. Some consumers paid the upfront fee using a third-party financing company and paid an APR between 17 and 22 percent. The CFPB also alleged that the defendants required some consumers to pay the fee in installments into a trust plan, which carried a $6 monthly banking fee paid to the administrator of the trust accounts. The Bureau alleged that the defendants failed to provide the proper disclosures under the TSR. Moreover, the complaint asserted that from 2019 to the present, the defendants violated the CFPA by representing to consumers that they were turned down for a loan in order to pitch the company’s settlement services. Under the terms of the proposed settlement, the student loan debt relief business and the general debt-settlement company are permanently banned from engaging in debt relief services, and the CEO is banned for five years.
The CEO is also required to pay a civil monetary penalty of $30,000 to the CFPB.
Ed. Dept. discharges additional $238 million
On April 28, the Department of Education announced it will deliver relief to tens of thousands of borrowers harmed by “pervasive and widespread misconduct” at a beauty school. According to the Department, the students attended the beauty school between 2009 and 2016, during which it “engaged in pervasive and widespread misconduct that negatively affected all borrowers who enrolled.” The 28,000 borrowers will receive loan discharges totaling approximately $238 million, which will provide relief to borrowers who enrolled at the beauty school during this period, including those who have not yet applied for a borrower defense discharge. According to Secretary of Education Miguel Cardona, the Department will “continue to strengthen oversight and enforcement for colleges and career schools that engaged in misconduct and uphold the Biden-Harris Administration’s commitment to helping students who have been harmed.” The Office of Federal Student Aid also announced it is hiring four employees for its enforcement unit.
4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information. According to the opinion, two years after merging with another hospitality corporation, the defendant “learned that malware had impacted approximately 500 million guest records in the [hospitality corporation’s] guest reservation database.” An investor filed a putative class action against the defendant and nine of its officers and directors, alleging that its failure to disclose severe vulnerabilities in the hospitality corporation’s IT systems rendered 73 different public statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 10b-5. The district court granted the defendant’s motion to dismiss with prejudice and concluded that the plaintiffs “‘failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation,’ which doomed the claim under Section 10(b) and Rule 10b-5 as well as the secondary liability claim [under Section 20(a) of the Exchange Act].” The investor appealed, dropping its challenge to 55 of the statements but maintaining its challenge to the other 18.
On appeal, the 4th Circuit agreed with the district court that the defendant’s statements about the importance of cybersecurity were not misleading with respect to the quality of its cybersecurity efforts. The appellate court found that “[t]he ‘basic problem’ with the complaint on this point is that ‘the facts it alleges do not contradict [the defendant’s] public disclosures,’” and that reiterating the “basic truth” that data integrity is important does not mislead investors or create a false impression. The appellate court also noted that the complaint “concedes that [the defendant] devoted resources and took steps to strengthen the security of hospitality corporation’s systems,” and that the company included “such sweeping caveats that no reasonable investor could have been misled by them.” The appellate court concluded that the defendant “certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so.”
Chopra testifies at congressional hearings
On April 26, CFPB Director Rohit Chopra testified at a hearing held by the Senate Banking Committee on the CFPB’s most recent semi-annual report to Congress (covered by InfoBytes here). Chopra’s opening remarks focused on key efforts the agency is taking to meet objectives established by Congress, including (i) shifting enforcement resources away from investigating small firms and focusing instead on repeat offenders and large players engaged in large-scale harm; (ii) increasing transparency through the issuance of guidance documents, such as advisory opinions, compliance bulletins, policy statements, and other publications to help entities comply with federal consumer financial laws; (iii) rethinking its approach to regulations, including its work to develop several rules authorized in the CFPA, and placing “a higher premium on simplicity and ‘bright lines’ whenever possible”; (iv) engaging with the business community and meeting with state-based associations to speak directly with community banks and credit unions and engaging with a broad range of other businesses and associations that may be affected by the laws the Bureau administers; (v) promoting greater competition by “lowering barriers to entry and increasing the pool of firms competing for customers based on quality, price, and service”; and (vi) researching issues related to big tech’s influence on consumer payments.
In his opening statement, Senate Banking Committee Chair Sherrod Brown (D-OH) praised Chopra’s recent efforts related to “junk fees” such as overdraft fees and non-sufficient fund fees, discrimination and bias in the appraisal process, reporting of medical collection debt by the credit reporting agencies, examination authority over non-banks and fintech companies, and crack-down on repeat offenders. However, Ranking Member Patrick Toomey (R-PA) criticized Chopra’s actions and alleged “overreach.” Among other things, Toomey characterized the Bureau’s attempts “to supervise for disparate impact not only in lending, but in all consumer financial services and products” as “unauthorized stealth rulemaking” that “will create tremendous uncertainty among regulated entities.” Toomey also took issue with recent changes to the Bureau’s rules of adjudication, claiming it will “make it easier to engage in regulation by enforcement.”
During the hearing, committee members discussed topics related to collecting small business lending data, rural banking access, student loan servicing, and whether the Bureau should be subject to the congressional appropriations process. Republican committee members raised concerns over several issues, including significant revisions recently made to the Bureau’s unfair, deceptive, or abusive acts or practices (UDAAP) examination manual that state that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice (i.e., the CFPB can now bring “unfair” discrimination claims related to non-credit financial products). (Covered by a Buckley Special Alert.) Senator Thom Tillis (R-NC) characterized the new policy as a “wholesale rewrite” of the examination manual that will improperly expand the reach of disparate impact liability and challenged the lack of notice-and-comment for the changes to the UDAAP manual.
Conversely, Democratic committee members praised Chopra’s actions and encouraged him to continue pressuring banks to cut excessive overdraft fees and other “junk fees,” as well as strengthen enforcement against repeat offenders. Senator Elizabeth Warren (D-MA) stressed that imposing fines that are less than the profits made from the misconduct will not be enough to persuade large banks to follow the law and asked Chopra to think about other steps regulators might consider to hold large repeat offenders accountable. She referenced her bill, the Corporate Executive Accountability Act, which is designed to hold big bank executives personally liable for the bank’s repeat violations of the law.
Chopra reiterated the Bureau’s priorities in his April 27 testimony before the House Financial Services Committee. At the hearing, House committee members questioned Chopra on the Bureau’s plans to collect data on small business loans pursuant to Section 1071 of the Dodd-Frank Act, crack down on “junk fees,” and address fair lending concerns with automated valuation models and fraud in payment networks. During the hearing, Chopra told committee members that the Bureau plans to revisit and update older regulations such as the CARD Act to lower credit card fees. “We want to make sure that credit cards are a competitive market . . . [so] I am asking the staff to look at whether we should reopen the Card Act rules that were promulgated by the Federal Reserve Board over 10 years ago . . . to be able to look at some of these older rules we inherited, to determine whether there needs to be any changes,” Chopra said, adding that “late fees are an area that I expect to be one of the questions we solicit input on.”