InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB appeals decision on Prepaid Accounts Rule
On August 16, the CFPB filed its opening brief in the agency’s appeal of a district court’s December 2020 decision, which granted a payment company’s motion for summary judgment and vacated two provisions of the Bureau’s Prepaid Account Rule: (i) the short-form disclosure requirement “to the extent it provides mandatory disclosure clauses”; and (ii) the 30-day credit linking restriction. As previously covered by InfoBytes, the Bureau claimed that it had authority to enforce the mandates under federal regulations, including the EFTA, TILA, and Dodd-Frank, but the district court disagreed, concluding, among other things, that the Bureau acted outside of its statutory authority with respect to the mandatory disclosure clauses of the short-form requirement in 12 CFR section 1005.18(b) by presuming that “Congress delegated power to the Bureau to issue mandatory disclosure clauses just because Congress did not specifically prohibit them from doing so.” In striking the mandatory 30-day credit linking restriction under 12 CFR section 1026.61(c)(1)(iii), the district court determined that “the Bureau once again reads too much into its general rulemaking authority,” and that neither TILA nor Dodd-Frank vest the Bureau with the authority to promulgate substantive regulations on when consumers can access and use credit linked to prepaid accounts. Moreover, the court deemed the regulatory provision to be a “substantive regulation banning a consumer’s access to and use of credit” under the disguise of a disclosure, and thus invalid.
In its appeal, the Bureau urged the U.S. Court of Appeals for the D.C. Circuit to overturn the district court’s ruling, arguing that both the EFTA and Dodd-Frank authorize the Bureau to promulgate rules governing disclosures for prepaid accounts. “The model-clause provision simply ensures that institutions will always have a surefire way of complying with the statute, even when the Bureau’s regulations do not specify how information should be disclosed,” the CFPB said, stressing that “[n]either that provision nor anything else forecloses—let alone unambiguously forecloses—rules requiring disclosures to present specified content in a specified format so that consumers are better able to find, understand, and compare products’ terms.” The decision to adopt such rules, the Bureau added, is entitled to deference. According to the Bureau, the Prepaid Account Rule “does not make any specific disclosure clauses mandatory,” and companies are permitted to use the provided sample disclosure wording or use their own “substantially similar” wording. Additionally, the Bureau argued, among other things, that “[b]y mandating optional model clauses while remaining silent about content and formatting requirements, Congress did not ‘circumscribe[] the [agency’s] discretion’ to adopt such requirements.” Instead, the Bureau contended, “whether to adopt content and formatting requirements is left ‘to agency discretion.’” Moreover, the disputed requirements “fit comfortably” within its power to regulate disclosure standards under EFTA and Dodd-Frank, the Bureau argued, adding that the law “authorizes the Bureau to ‘prescribe rules to ensure that the features of any consumer financial product or service … are fully, accurately, and effectively disclosed to consumers.’”
6th Circuit: Consumer lacks standing to bring FDCPA voice message claims
On August 16, the U.S. Court of Appeals for the Sixth Circuit held 2-1 that a plaintiff lacked Article III standing to bring claims against a debt servicer defendant for allegedly violating the FDCPA by failing to properly identify itself in voice messages. The plaintiff filed suit in 2019 alleging violations of three FDCPA provisions, including that the defendant: (i) failed to identify itself as a debt collector in its voice messages; (ii) failed to identify the “true name” of its business, thus causing the plaintiff to send a cease-and-desist letter to the wrong entity; and (iii) placed calls without meaningfully disclosing its identity. The district court granted summary judgment in favor of the defendant, ruling that because the defendant did not qualify as a “debt collector” under the FDCPA it was not subject to the statute’s requirements.
On appeal, the 6th Circuit raised the issue of standing “for the first time on appeal,” concluding that the plaintiff “does not automatically have standing simply because Congress authorizes a plaintiff to sue a debt collector for failing to comply with the FDCPA.” Pointing out that the appeal “centers on whether [the plaintiff] suffered a concrete injury,” the appellate court rejected the plaintiff’s arguments that the defendant’s statutory violations constituted a “concrete injury” and “that the confusion he suffered, the expense of counsel, and the phone call that he received from [the defendant] qualify as independent concrete injuries.” Among other things, the 6th Circuit noted that although the plaintiff claimed that the FDCPA “created an enforceable right to know who is calling about a debt and that [the defendant’s] failure to identify its full name concretely injured him,” the plaintiff ultimately failed to demonstrate that the defendant’s “failure to disclose its full identity in its voice messages resembles a harm traditionally regarded as providing a basis for a lawsuit.” Additionally, the appellate court determined that “confusion alone is not a concrete injury for Article III purposes,” and that the plaintiff “cannot show concrete harm simply by pointing to the cost of hiring counsel.” Moreover, because the plaintiff “did not clearly assert in his complaint that he received—let alone was harmed by—an additional phone call, [the appellate court] need not decide whether an unwanted call might qualify as a concrete injury.” The 6th Circuit vacated the district court’s order entering summary judgment and remanded the case to be dismissed for lack of jurisdiction.
District Court: State law right-to-cure provisions preempted by National Bank Act
On August 4, the U.S. District Court for the Western District of Wisconsin granted defendants’ motion for partial summary judgment in an action alleging claims under the FDCPA and the Wisconsin Consumer Act (WCA). The defendants were a debt-purchasing company and a law firm hired by the company to recover outstanding debt and purported late fees on the plaintiff’s account in a separate state-court action. After the plaintiff failed to make payments on his outstanding balance, the original creditor (a national bank) charged late fees and mailed him a “right to cure” letter advising him of the minimum payment due and the deadline to make the payment. The account was eventually sold to the debt-purchasing company after the plaintiff failed to make any minimum payments. The law firm sent the plaintiff two letters on behalf of the debt-purchasing company, one which outlined his right to dispute the debt and one which provided a “notice of right to cure default.” A small claims action was filed against the plaintiff in state court, in which the plaintiff argued for dismissal, contending in part that the notice of default failed to itemize delinquency charges as required under Wisconsin law. The plaintiff then filed this suit in federal court alleging violations of the FDCPA and the WCA, claiming that the defendants “falsely represented the status of his debt in violation of § 1692e by purporting to have properly accelerated his debt and filed suit against him despite [the plaintiff] never being provided an adequate right to cure letter pursuant to Wisconsin law.”
First, in reviewing whether the plaintiff had standing to sue, the court determined that the “costs, time, and energy” incurred by the plaintiff to defend himself in the state-court action amounted to a “concrete injury in fact” that established his standing in the federal-court action. However, upon reviewing the WCA’s right-to-cure provisions as the basis for the plaintiff’s claims that the defendants violated federal and state laws by allegedly falsely representing that they could accelerate the plaintiff’s debt and sue him, the court examined whether the state law’s notice and right-to-cure provisions were federally preempted by the National Bank Act (NBA), as the original creditor’s rights and duties were assigned to the debt-purchasing company when the account was sold. The court determined that while the WCA right-to-cure provisions “do relate in part to debt collection,” they also “go beyond that by imposing conditions on the terms of credit within the lending relationship.” The court ultimately concluded that the WCA provisions “are inapplicable to national banks by reason of federal preemption,” and, as such, the court found “that a debt collector assigned a debt from a national bank is likewise exempt from those requirements” and was not required to send the plaintiff a right-to-cure letter “as a precondition to accelerating his debt or filing suit against him.”
District Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.
The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.
The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.
District Court grants summary judgment against student loan debt-relief defendant
On August 10, the U.S. District Court for the Central District of California granted summary judgment against an individual defendant in an action by the CFPB against a lender and several related individuals and companies (collectively, “defendants”) for alleged violations of the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), and Fair Credit Reporting Act (FCRA). As previously covered by InfoBytes, the CFPB filed a complaint in 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products. However, the Bureau alleged that the defendants instead resold or provided the reports to numerous companies, including companies engaged in marketing student loan debt relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt relief services, and violated both the TSR and CFPA by placing telemarketing sales calls and sending direct mail to encourage consumers to consolidate their loans, while falsely representing that consolidation could lower student loan interest rates, improve borrowers’ credit scores, and allow borrowers to change their servicer to the Department of Education. Settlements have already been reached with certain defendants (covered by InfoBytes here, here and here).
Responding to the Bureau’s motion for summary judgment against the individual defendant, the court, among other things, held that undisputed evidence showed that the individual defendant “obtained and later used prescreened lists from [a consumer reporting agency] without a permissible purpose” in order to send direct mail solicitations from the businesses that he controlled to consumers on the lists as opposed to firm offers of credit or insurance. The court also found that the individual defendant violated the TSR by mispresenting material aspects of the debt relief services and violated the CFPA by making false statements to induce consumers to pay advance fees for these services. Furthermore, the court rejected the individual defendant’s arguments involving boilerplate evidentiary objections and Fifth Amendment and statute of limitation claims. Because the individual defendant “was heavily involved in and controlled much of the [student loan debt relief businesses’] activities,” the court found that he acted recklessly and granted the Bureau’s motion for summary judgment, finding that injunctive relief, restitution, and a civil money penalty are appropriate remedies.
District Court allows CFPB, Massachusetts AG’s telemarketing suit to proceed
On August 10, the U.S. District Court for the District of Massachusetts denied a motion to dismiss filed by a credit repair organization and the company’s president and owner (collectively, “defendants”) in a joint action taken by the CFPB and the Massachusetts attorney general, which alleged the defendants committed deceptive acts and practices in violation of the Consumer Financial Protection Act (CFPA), the Massachusetts Consumer Protection Law, and the FTC’s Telemarketing Sales Rule (TSR). As previously covered by InfoBytes, the complaint alleges the defendants, among other things, claimed their credit-repair services could help consumers substantially improve their credit scores and promised to fix “unlimited” amounts of negative items from consumers’ credit reports, but, in “numerous instances,” the defendants failed to achieve these results. The defendants also allegedly violated the TSR by engaging in abusive acts and by requesting and collecting fees before achieving any results related to repairing a consumer’s credit. The defendants moved to dismiss, arguing that they were governed by the Credit Repair Organizations Act (CROA), which cannot be reconciled with the TSR, the TSR definition of “telemarketing” is vague and violates the Due Process Clause, and that applying the TSR’s definition of telemarketing would place an unfair content-based restriction on speech that restricts when they can collect payments for their services. Moreover, the defendants claimed, among other things, that the FTC “exceeded its authority in promulgating rules targeting their conduct because Congress intended that only unsolicited telemarketing calls would be addressed by the FTC’s regulations.”
The court disagreed, holding first that that the CROA and the TSR do not conflict. “[C]ompliance with the TSR’s payment requirement would not cause defendants to violate the CROA,” the court stated. “The TSR simply adds a precondition to requesting payment…” Additionally, the court noted that the TSR’s “restriction is on conduct—the timing of the payment—not on speech,” adding that while “Congress directed the FTC to create rules regarding specific telemarketing activities. . ., Congress also authorized the FTC to create additional rules addressing ‘deceptive telemarketing acts or practices’ at its discretion.” As such, the court held that defendants did not show that “Congress intended the FTC to exclusively address unsolicited telemarketing calls.” Furthermore, the court held that the plaintiffs adequately defined the defendants’ allegedly deceptive conduct and that the alleged violations of state law are plausible.
9th Circuit revives TCPA suit against insurance servicer
On August 10, the U.S. Court of Appeals for the 9th Circuit revived a lawsuit against an insurance servicing company (defendant) for allegedly using both an automated telephone dialing system and an artificial or pre-recorded voice to place a job-recruitment call without obtaining the plaintiff’s consent. According to the opinion, the plaintiff filed a suit alleging, among other things, TCPA violations after receiving the pre-recorded voicemail from the defendant regarding his “industry experience” and that the defendant is “looking to partner with select advisors in the Los Angeles area.” The district court dismissed the plaintiff’s action under Federal Rule of Civil Procedure 12(b)(6) for failing “to state a claim upon which relief can be granted,” holding that the TCPA and the relevant implementing regulation do not prohibit conducting job recruitment robocalls to a cellular telephone number. In addition, the district court “read the Act as prohibiting robocalls to cell phones only when the calls include an ‘advertisement’ or constitute ‘telemarketing,’ as those terms have been defined” by the FCC. The court found that since the plaintiff admitted that the job recruitment call he received did not involve advertising or telemarketing, he had not adequately pleaded a violation of the TCPA.
On the appeal, a three-judge panel of the 9th Circuit determined that the district court misread the TCPA and the implementing regulation when dismissing the plaintiff’s suit and remanded the case for further proceedings. The appellate court noted that the FCC provision was intended to tighten the consent requirement for robocalls that involve advertising or telemarketing, but the lower court incorrectly perceived the provision as “effectively removing robocalls to cellphones from the scope of the TCPA’s coverage unless the calls involve advertising or telemarketing.” Moreover, the panel wrote that “[t]he applicable statutory provision prohibits in plain terms ‘any call,’ regardless of content, that is made to a cellphone using an automatic telephone dialing system or an artificial or pre-recorded voice, unless the call is made either for emergency purposes or with the prior express consent of the person being called.”
CFPB and lenders file briefs for 2017 payday lending case
On August 6, the U.S. District Court for the Western District of Texas received briefs from the CFPB and the two trade groups (plaintiffs) challenging the CFPB’s 2017 final payday/auto title/high-rate installment loan rule (2017 Rule) regarding a compliance date for the 2017 Rule’s payment provisions. The briefs were filed in response to the court’s July 29 order requesting briefing “concerning what would be the appropriate compliance date if the court were to deny Plaintiffs’ motion for summary judgment and grant Defendants’ motion for summary judgment.” As previously covered by InfoBytes, in August 2020, the plaintiffs asked the court to set aside the 2017 Rule and the Bureau’s ratification of the payment provisions of the 2017 Rule as unconstitutional and in violation of the Administrative Procedures Act (APA). Earlier in July 2020, the Bureau issued a final rule revoking the 2017 Rule’s underwriting provisions and ratified the 2017 Rule’s payment provisions (covered by InfoBytes here) in light of the U.S. Supreme Court’s decision in Seila Law LLC v CPFB (covered by a Buckley Special Alert, holding that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau).
According to the CFPB’s brief, the stay of the compliance date should remain in place for no longer than 30 days after the Court’s decision on summary judgment. The CFPB argued, among other things, that a 30-day delay is consistent with the APA and should provide sufficient time to make any final preparations. In addition, the CFPB argued that complying with the payment provisions is not considered “onerous” because the provisions generally prohibit lenders from withdrawing payments for a covered loan from a borrower’s account after two consecutive attempts have failed due to lack of sufficient funds and because the provisions require lenders to give consumers certain notices, specifically before attempting to withdraw a payment for the first time and before making an “unusual” withdrawal attempt. In addition, the CFPB argued that “[f]urther extension of the stay is particularly unwarranted because the only basis for the stay disappeared over a year ago.”
According to the plaintiffs’ brief, an “order lifting the stay…should set the compliance date no earlier than 445 days (or, at a minimum, 286 days) from the date the court lifts the stay, reflecting the time left for compliance when the stay was sought (or entered).” In addition to arguing that requiring immediate compliance would violate the APA, the plaintiffs argued, among other things, that “the 2017 Rule gave lenders twenty-one months before compliance would be required, which the Bureau viewed as necessary to give lenders ‘enough time for an orderly implementation period’ and to ‘reasonably adjust their practices to come into compliance.’” Moreover, the plaintiffs argued that the Bureau will need to set a new compliance date via notice-and-comment rulemaking if the stay did not toll the compliance period.
Responses from both parties are due by August 16.
District Court grants summary judgment for defendant in FDCPA vicarious liability case
On July 30, the U.S. District Court for the Northern District of Alabama granted a motion for summary judgment in favor of a debt collector (defendant) with respect to a plaintiff’s FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the FDCPA by engaging in abusive, deceptive, and unfair debt collection practices when the defendant allegedly filed a false proof of service in a collection action, which allowed the defendant to obtain a default judgment and garnish the plaintiff’s wages. The defendant, through a law firm, allegedly purchased a debt that the plaintiff had maintained. Subsequently, a collection lawsuit against the plaintiff was filed and a process server delivered the summons and complaint to the plaintiff. The plaintiff filed suit against the defendant, alleging the defendant violated the FDCPA by falsely claiming that it served the summons and complaint. After finding that the defendant itself did not falsify the service return form or have knowledge that a falsified service return form was filed, the court examined if the defendant is vicariously liable for the alleged violations undertaken by the collection law firm or the process server. According to the opinion, “a plaintiff may press an FDCPA claim pursuant to a theory of vicarious liability only if the pertinent parties both constitute “debt collectors” and they enjoy an agency relationship,” however, “the evidence fails to permit a reasonable determination that either may expose [the defendant] to vicarious liability.”
As previously covered by InfoBytes, in June, the U.S. District Court for the District of Oregon partially granted a plaintiff’s motion for summary judgment, finding that a debt buyer who puts accounts with a debt collector can be held vicariously liable for the actions of the debt collector, since the debt buyer “bear[s] the responsibility of monitoring the activities of those it hires to collect debts on its behalf.” However, in the U.S. District Court for the Northern District of Alabama case, the court found that that any alleged issues regarding summons and complaints in an underlying collection case do not qualify as the responsibility of the defendant.
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.