InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Connecticut Supreme Court says lender protected by tribal sovereign immunity
On May 20, the Connecticut Supreme Court held that a lender accused of issuing usurious consumer loans without being properly licensed is protected by tribal sovereign immunity. In 2014, the Connecticut Department of Banking initiated an enforcement action against two lenders and a tribal officer of one of the lenders, claiming the lenders violated Connecticut’s banking and usury laws by making high-interest consumer loans over the internet without a license. The commissioner issued cease-and-desist orders and imposed civil penalties on the lenders. The lenders filed a motion in Connecticut Superior Court to dismiss the administrative proceedings for lack of jurisdiction, claiming they were arms of a federally recognized tribe and entitled to tribal sovereign immunity. The Superior Court vacated the orders against the lenders and remanded the case for an evidentiary hearing on whether the lenders are entitled to sovereign immunity.
The Connecticut Supreme Court reversed in part the Superior Court’s order, finding that the lower court should have applied the “Breakthrough factors” adopted by the U.S. Court of Appeals for the Fourth, Ninth, and Tenth Circuits to determine whether the lenders were arms of the tribe. These factors include analysis of (i) “the method of creation” of the entities; (ii) the stated purpose of the entities; (iii) “the structure, ownership, and management of the entities,” which includes the amount of control the tribe has over them; (iv) the tribe’s intent with respect to extending its sovereign immunity to the entities; and (v) “the financial relationship between the tribe and the entities.” Applying these factors, the Connecticut Supreme Court found that one of the lenders was entitled to sovereign immunity because the lender was created under tribal law, is controlled by directors appointed by the tribal council for the purpose of promoting tribal economic development and welfare, and there was a “significant financial relationship” between the tribe and the lender. With respect to the other lender, the court found that there was insufficient evidence to show that it is an arm of the tribe and that further proceedings were necessary to determine its right to sovereign immunity.
District Court rules FCRA waives sovereign immunity
On May 13, the U.S. District Court for the Eastern District of Michigan denied a motion to dismiss filed by the Department of Education (Department), ruling that the FCRA “unequivocally waives sovereign immunity” concerning the allegations at issue in the case. In the lawsuit, the plaintiff alleges, among other things, that the Department violated Section 1681s-2(b) of the FCRA by “negligently and willfully” failing to conduct a proper investigation of her dispute and by failing to remove an erroneous notation of “account in dispute” from a tradeline reported on her credit files. The Department moved to dismiss, arguing, among other things, that it could not be sued for damages under the FCRA “because Congress has not waived sovereign immunity with respect to that statute.”
The court, disagreed, pointing out that while the question of whether sovereign immunity is waived under the FCRA “has generated a circuit split,” the “authority finding that the FCRA waives sovereign immunity is more persuasive than the authority supporting the contrary view.” After examining the statute, the court noted that the FCRA defines a “person” to include a “government or governmental subdivision or agency,” and pointed out that the term “person” appears in other FCRA provisions cited within the plaintiff’s lawsuit. As an example, the court referenced Section 1681n(a), which states: “Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer.” The court also determined that the waiver of sovereign immunity “is sufficiently explicit” in Section 1681u of the FCRA.
District Court denies TRO request to block CFPB’s eviction disclosure rule
On May 14, the U.S. District Court for the Middle District of Tennessee denied a request for a temporary restraining order (TRO) to block a CFPB interim final rule (IFR), which requires all landlords to disclose to tenants certain federal protections put in place as a result of the ongoing Covid-19 pandemic. As previously covered by InfoBytes, the plaintiffs sued the CFPB asserting the IFR violates their First Amendment rights because it “mandates untrue speech and encourages plainly misleading speech” by requiring disclosures about a moratorium that has been challenged or invalidated by several federal courts, including a court in Tennessee where the complaint was filed, as well as the U.S. Court of Appeals for the Sixth Circuit. The Bureau urged the court to deny the temporary injunction, arguing, among other things, that “requiring debt collectors to provide routine, factual notification of rights or legal protections that consumers ‘may’ have, in jurisdictions where the CDC [o]rder applies, does not compel false speech and plainly passes First Amendment muster” (covered by InfoBytes here).
In denying the plaintiffs’ request to block the enactment of the IFR, the court ruled that the IFR does not apply where courts have already blocked the CDC’s eviction order from being enforced. Therefore, “[b]y its very terms, the [IFR] compels nothing at all—including disclosure of false speech—in jurisdictions where the CDC [o]rder does not apply (whether due to a court order declaring the [IFR] invalid, or to something else).” Additionally, the court noted that the plaintiffs’ First Amendment arguments did not suggest that they would suffer irreparable harm without a TRO, as “[p]laintiffs cannot be harmed by a rule where it does not apply.” The court also addressed the plaintiffs’ claim that the rule is unlawful under the Administrative Procedures Act because it requires disclosures not mandated under the FDCPA that could contain false, deceptive, or misleading representations. Because debt collectors in jurisdictions where the CDC order does not apply do not have to make the required disclosures, the IFR cannot be “unlawful on the grounds that it requires false disclosures.”
The court did not opine as to the “wisdom or fairness” of the IFR or the CDC’s order, or whether the IFR is “likely unlawful for any reason other than the particular ones” put forth by the plaintiffs.
Custody bank to pay $115 million to end overbilling investigation
On May 13, a Massachusetts-based custody bank entered into a deferred prosecution agreement (agreement) with the DOJ related to a criminal indictment for a single count of conspiracy to commit wire fraud. According to the DOJ’s press release, the bank acknowledged that, from at least 1998 through 2015, it, along with eight co-conspirator bank executives (collectively, “defendants”), defrauded clients of more than $290 million by charging hidden markups to out-of-pocket (OOP) expenses “on top of fees that the clients had agreed to pay the bank, and despite written agreements that caused clients to believe the expenses would be passed through to them without a markup.”
Under the terms of the agreement, the bank agreed to (i) pay a $115 million monetary penalty; (ii) continue to cooperate with the U.S. Attorney’s Office; (iii) enhance its compliance practices; and (iv) hire an independent compliance and business ethics monitor for two years. The DOJ credited the bank for (i) voluntarily disclosing its misconduct; (ii) cooperating with the DOJ’s investigation; (iii) undertaking remedial measures to enhance its compliance program and to ensure consequences for individuals and business units involved in the misconduct; (iv) reimbursing affected clients for the overbilled amounts; and (v) previously paying $88 million in civil money penalties to the SEC and $8.575 million in civil penalties to state regulators.
9th Circuit denies en banc rehearing in CFPB case against Seila Law
On May 14, the U.S. Court of Appeals for the Ninth Circuit denied en banc rehearing of CFPB v. Seila Law, LLC. As previously covered by InfoBytes, following remand from the U.S. Supreme Court, a three-judge panel of the 9th Circuit had reaffirmed a district court order granting the CFPB’s petition to enforce a civil investigative demand (CID) sent to Seila Law. The panel wrote that “Director Kraninger’s ratification [of the CID] remedied any constitutional injury that Seila Law may have suffered due to the manner in which the CFPB was originally structured. Seila Law’s only cognizable injury arose from the fact that the agency issued the CID and pursued its enforcement while headed by a Director who was improperly insulated from the President’s removal authority. Any concerns that Seila Law might have had about being subjected to investigation without adequate presidential oversight and control had now been resolved. A Director well aware that she may be removed by the President at will had ratified her predecessors’ earlier decisions to issue and enforce the CID.”
Judge Bumatay, joined by three other circuit judges, dissented from denial of en banc rehearing, arguing that “[o]ur court’s decision to deny rehearing en banc effectively means that Seila Law is entitled to no relief from the harms inflicted by an unaccountable and unchecked federal agency. Thus, while David slayed the giant, Goliath still wins.” Judge Bumatay further stressed that the doctrine of ratification does not permit the Bureau to “retroactively gift itself power that it lacked,” concluding that the panel’s condoning of the Bureau’s “power grab was erroneous.”
District Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
6th Circuit affirms dismissal of FACTA credit card receipt suit
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer’s receipt, the customer failed to allege any concrete harm sufficient to establish standing. According to the opinion, the named plaintiff filed a class action against the merchant alleging the first six and last four digits of her credit card number were printed on her receipt—a violation of FACTA’s truncation requirement, which only permits the last five digits to be printed on a receipt. The plaintiff argued that this presented “a significant risk of the exact harm that Congress intended to prevent—the display of card information that could be exploited by an identity thief,” and further claimed she did not need to allege any harm beyond the violation of the statute to establish standing. The district court disagreed, ruling that the plaintiff “lacked standing because she alleged merely a threat of future harm that was not certainly impending” and that the merchant’s technical violation demonstrated no material risk of identity theft.
In agreeing with the district court, the 6th Circuit concluded that a “violation of the statute does not automatically create a concrete injury of increased risk of real harm even if Congress designed it so.” Moreover, the appellate court reasoned that the “factual allegations in this complaint do not establish an increased risk of identity theft either because they do not show how, even if [p]laintiff’s receipt fell into the wrong hands, criminals would have a gateway to consumers’ personal and financial data.” The appellate court further concluded, “statutory-injury-for-injury’s sake does not satisfy Article III’s injury in fact requirement” and the court must exercise its constitutional duty to ensure a plaintiff has standing.
2nd Circuit affirms borrower standing in mortgage recordation delay suit
On May 10, the U.S. Court of Appeals for the Second Circuit determined that class members have constitutional standing to sue a national bank for allegedly violating New York’s mortgage-satisfaction-recording statutes, which require lenders to record borrowers’ repayments within 30 days. The plaintiffs filed a class action suit alleging the bank’s recordation delay harmed their financial reputations, impaired their credit, and limited their borrowing capacity. The district court agreed, ruling that the plaintiffs had Article III standing to sue because the bank’s alleged violation of the mortgage-satisfaction-recording statutes created a “material risk of harm” to them.
On appeal, the majority opinion first determined, among other things, that “state legislatures may create legally protected interests whose violation supports Article III standing, subject to certain federal limitations.” The alleged state law violations in this matter, the majority wrote, constitute a concrete and particularized harm to the plaintiffs in the form of both reputational injury and limitations in borrowing capacity during the recordation delay period. Moreover, the majority concluded that the bank’s alleged failure to report the plaintiffs’ mortgage discharge “posed a real risk of material harm” because the public record reflected an outstanding debt of over $50,000, which could “reasonably be inferred to have substantially restricted” the plaintiffs’ borrowing capacity. The dissenting judge argued, however, that the plaintiffs “never suffered a cloud on title prohibiting them from selling their property, or adverse effects on their credit, or an inability to finance another property, or even a risk of these harms,” and that the “trivial nature of a recordation delay is reflected in the 30-day delay that is tolerated without penalty, and by the small penalty exacted even after 90 days.”
The 2nd Circuit joined the Third, Seventh, Ninth, and Tenth circuits in holding that state legislatures have the power to “create ‘legally protected interests’” that, when violated, satisfy Article III injury-in-fact requirement, noting that it is “aware of no Circuit holding to the contrary.”
9th Circuit: Federal Foreclosure Bar preempts Nevada HOA law, maintaining Fannie Deed of Trust
On May 5, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a mortgage servicer in an action asserting claims arising from a homeowners’ association’s (HOA) nonjudicial foreclosure on real property in Nevada. According to the opinion, Fannie Mae originally purchased the loan on the property (secured by a Deed of Trust), which was eventually assigned to the mortgage servicer. Following the homeowners’ failure to pay their HOA dues, a foreclosure sale was held, and the property was conveyed to a limited liability company. The mortgage servicer filed a quiet title suit against the company, and the district court granted summary judgment in its favor on the basis that the Federal Foreclosure Bar (which prohibits the foreclosure of FHFA property without FHFA’s consent) “prevented the extinguishment of Fannie Mae’s Deed.”
In agreeing with the district court, the 9th Circuit first rejected two threshold challenges raised by the company, holding that the mortgage servicer “properly and timely” raised its claims under the Federal Foreclosure Bar. Specifically, the appellate court determined that the mortgage servicer “presented ample evidence of its servicing relationship with Fannie Mae,” and that this relationship, along with authority delegated to Fannie Mae loan servicers to protect its mortgage loans, “was more than sufficient to establish” that the mortgage servicer was Fannie Mae’s loan servicer and, therefore “had the authority to assert the Federal Foreclosure Bar” in quiet title action. The 9th Circuit also concluded that the mortgage servicer filed the action within the applicable six-year statute of limitations. In holding that the Federal Foreclosure Bar preempted Nevada’s HOA law and prevented the extinguishment of Fannie Mae’s Deed of Trust, the appellate court noted, among other things, that the mortgage servicer demonstrated that Fannie Mae retained an enforceable interest in the loan at the time of the HOA foreclosure sale. The 9th Circuit rejected the company’s argument that the mortgage servicer “failed to produce a ‘signed writing’ evincing such interest as required by the Nevada statute of frauds.” According to the appellate court, given that the company “was not a party to the underlying loan agreement pursuant to which Fannie Mae acquired the loan,” the company could not raise the statute of frauds.
Defendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.