InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions darknet marketplace for selling stolen data
On April 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, against one of the world’s largest darknet marketplaces for its involvement in the theft and sale of device credentials and related sensitive information. According to OFAC, the marketplace accesses victims’ devices without authorization and sells the stolen data, including usernames and passwords, on the darknet. The action was taken in coordination with the DOJ and international partners from a dozen countries who are also taking action against market users across multiple jurisdictions and seizing associated website domains. The designation built upon previous actions taken against darknet marketplaces, including sanctions issued last year against the world’s most prominent darknet market. (Covered by InfoBytes here.) OFAC also referenced FinCEN’s 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency, to warn “that darknet markets frequently include offers for the sale of illicit goods and services that use virtual currencies as a method of payment.” (Covered by InfoBytes here.) As a result of the sanctions, all property and interests in property belonging to the sanctioned entity in the U.S. must be blocked and reported to OFAC. OFAC noted that U.S. persons are prohibited from participating in transactions with sanctioned persons, and that “persons that engage in certain transactions with the entity designated today may themselves be exposed to sanctions.”
The DOJ stated in its press release that, along with its partners, it had “dismantled” the marketplace and “arrested many of its users around the world.” The DOJ explained that the marketplace “was also one also one of the most prolific initial access brokers [] in the cybercrime world,” and “attract[ed] criminals looking to easily infiltrate a victim’s computer system.” The marketplace sold access to ransomware actors looking to attack computer networks in the United States and globally, the DOJ said, adding that the marketplace also sold device “fingerprints” used to trick third-party websites into thinking the marketplace user was the actual account owner.
District Court upholds arbitration in website terms of use
On March 28, the U.S. District Court for the Western District of North Carolina ruled that class members must arbitrate their claims against an online lending marketplace relating to a 2022 data breach that affected current, former, and prospective customers. The court found that a mandatory arbitration clause contained in the defendant’s terms of use agreement “is broad enough to encompass the claims” brought by class members, and adopted recommendations made by a magistrate judge in February, who found that the agreement not only requires users to agree to be bound by its terms of use when they make their accounts, but also requires that users consent, acknowledge, and agree to its terms of use any time they submit consumer loan searches on the website. The plaintiff argued that there was not a binding contract between the parties because he did not “fully and clearly” understand that he had agreed to arbitrate disputes with the defendant. He further attested that because he never saw the terms of use, he “lacked actual or inquiry notice.” In particular, the plaintiff complained about the placement and font size of the notice, which he claimed no reasonable consumer would have seen “as there is no reason to scroll down the page after seeing the ‘Create Account’ tab.” The magistrate judge disagreed, stating that the “[p]laintiff had multiple opportunities to read and decline the terms if he chose,” and that “[t]his is not the needle in a haystack search that [p]laintiff depicts.” In agreeing with the recommendations, the court concluded that the plaintiff failed to show that the magistrate judge’s determination “was clearly erroneous or contrary to law” and said the plaintiff is bound by the arbitration clause.
Colorado restricts vehicle value protection agreements
On March 23, the Colorado governor signed SB 23-015, which prohibits placing conditions on the terms of a vehicle sale, lease, or the extension or terms of credit, upon the purchase of a vehicle value protection agreement. In addition, the bill requires, among other things, that such agreements must outline eligibility requirements, coverage conditions or exclusions, provide certain consumer notices, and must benefit the consumer “upon the trade-in, total loss, or unrecovered theft of a covered vehicle.” Providers of such agreements must also obtain a contractual liability insurance policy that guarantees their obligations under the agreement. Finally, the act establishes that value protection agreements themselves are not insurance and are exempt from state insurance regulations.
District Court: Collection can resume after debt is verified
On March 24, the U.S. District Court for the Southern District of Illinois granted defendants’ motion for summary judgment in an action concerning whether the defendants failed to adequately validate plaintiff’s debt. Plaintiff incurred a debt that was charged off and sold to one of the defendants for collection. The defendant creditor used the second defendant to manage collection of the account. An independent third party hired by the defendant creditor to collect on the debt sent an email containing a FDCPA-required validation notice to the plaintiff, who responded by sending a written validation request to the third party. In response, the second defendant sent two letters to the plaintiff, validating the debt and including the name of the original creditor, the current creditor, the last four digits of the account number, and the amount owed. The plaintiff submitted additional validation requests to the second defendant. The account was eventually placed with a different third-party collection agency, which sent a verification letter containing the same information to the plaintiff. The plaintiff sent a validation request to the new collection agency, as well as an additional request to the second defendant, and received responses to these validation requests as well.
The plaintiff sued, premising her FDCPA claims on the argument that the defendants acted deceptively when they attempted to collect on a debt by placing the account with the second collection agency while the debt was being actively disputed. The court disagreed, stating that after the defendants “provided verification of the debt, they were free to resume collection efforts.” The court explained that the plaintiff “cannot forestall collection efforts by disputing the debt into perpetuity,” and added that nothing in the FDCPA prevents the use of more than one collection agency to collect on a debt. The court also said the fact that the initial validation response was sent after the 30-day statutory validation period expired and contained a second validation notice, did not adversely impact the plaintiff nor “create actionable confusion,” particularly because “the second validation notice was sent after Plaintiff exercised her statutory right to dispute the debt.”
CFPB, New York AG ask court to lift stay after 2nd Circuit decision
On March 31, plaintiffs CFPB and the New York Attorney General moved the U.S. District Court for the Southern District of New York to lift its stay order in their litigation against a remittance provider in response to a recent U.S. Court of Appeals for the Second Circuit decision upholding the CFPB’s funding structure under the Constitution’s Appropriations Clause. (Covered by InfoBytes here.) The plaintiffs argued that the 2nd Circuit’s binding opinion has now “answer[ed] the question at the heart of this Court’s stay order: whether the Bureau’s statutory funding mechanism violates the Constitution.”
As previously covered by InfoBytes, the district court had originally paused the proceedings at the defendant’s request when the Supreme Court was considering whether to hear an appeal in a different matter relating to the Bureau’s funding structure. The district court continued the stay after the Supreme Court agreed to review the 5th Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where it found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause. The Supreme Court is scheduled to review the 5th Circuit’s decision next term (covered by InfoBytes here).
The agencies argued primarily that (i) the 2nd Circuit “expressly considered and rejected the Fifth Circuit’s contrary view in CFSA;” (ii) it “did so notwithstanding that the Supreme Court will consider the same issue next Term”; and (iii) “[g]rants of certiorari do not change the law, and a district court remains bound by circuit precedent until the Supreme Court or the court of appeals changes that precedent.”
On April 7, the court issued an order denying the Bureau's request and electing to keep the stay in place while the Supreme Court resolves the circuit split on this issue.
CFPB received nearly 1.3 million consumer complaints in 2022
On March 31, the CFPB published its Consumer Response Annual Report for 2022, providing an overview of consumer complaints received by the agency between January 1 and December 31, 2022. According to the report, the Bureau received approximately 1,287,000 consumer complaints last year and sent more than 820,000 complaints for review and response to roughly 3,200 companies. Among other trends, the Bureau found that complaints about credit or consumer reporting continued to increase, accounting for more than 75 percent of all complaints received last year. Checking and savings account-related complaints also increased. Many consumers reported issues with managing their accounts, including account closures, fraudulent activity, and issues with customer service. While complaints relating to student loans comprised a small percentage of complaints overall, the Bureau noted a significant increase from prior years, largely due to consumers reporting issues with their lender or servicer. Consumers described issues with repayment pause extensions, proposed changes to the federal loan program, and forgiveness programs. Additionally, the Bureau observed an increase in complaints about money service fraud and scams, where consumers reported losing money through phishing/smishing scams or via fraudsters who posed as investment or financial institution representatives to steal virtual currency. The most complained-about products and services—representing approximately 95 percent of all complaints—were credit or consumer reporting, debt collection, credit cards, checking or savings accounts, and mortgages. The Bureau also received complaints related to money transfers and virtual currency; vehicle finance; student, personal, and payday loans; prepaid cards; credit repair; and title loans.
FDIC releases February enforcement actions
On March 31, the FDIC released a list of administrative enforcement actions taken against banks and individuals in February. The FDIC made public five orders and one notice, including “three orders of prohibition from further participation, one order to pay civil money penalty, one Section 19 order, and one Notice of Charges.”
The actions include a civil money penalties order against a Wisconsin-based bank related to alleged violations of the Flood Disaster Protection Act (FDPA). The FDIC determined that the bank had engaged in a pattern or practice of violating the FDPA by failing to (i) obtain flood insurance on a building securing a designated loan at the time of origination of two loans; (ii) obtain adequate flood insurance at the time of origination of seven loans; (iii) follow lender-placed flood insurance procedures for one loan; (iv) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending, or renewing a loan on four occasions; and (v) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance within a reasonable time prior to the completion of the transaction on one loan.
FHA proposes earlier HECM claim submissions
On April 4, FHA issued FHA Info 2023-25, announcing proposed changes to the Home Equity Conversion Mortgage (HECM) program and documentation requirements for certain submission criteria. FHA explained that the documentation changes would apply to HECM Assignment Claim Type 22, which “is an option that allows a HECM servicer to assign a mortgage that is in good standing to FHA in exchange for payment of the loan balance, up to the maximum claim amount.” Specifically, the proposal would allow servicers to start submitting claim documentation for preliminary FHA review when a mortgage reaches 97 percent of the maximum claim amount (MCA), versus the 97.5 percent currently allowed. The change is intended “to expedite the payment of claim funds when the mortgage reaches 98 percent of the MCA, to mortgage servicers in light of current market liquidity considerations.” The proposal would also establish that the deadline for mortgagees to deliver original notes and mortgages to FHA is 90 days after the assignment claim payment date, and would align the deadline for delivering recorded assignments of mortgage for all HECMS by increasing the timeline to 12 months for HECMs with FHA case numbers assigned before September 19, 2017. Comments on the proposal are due April 11.
CFPB defines abusive conduct under the CFPA
On April 3, the CFPB issued a policy statement containing an “analytical framework” for identifying abusive conduct prohibited under the Consumer Financial Protection Act. The Bureau broadly defines abusive conduct as anything that obscures, withholds, de-emphasizes, renders confusing, or hides information about the important features of a product or service. The policy statement, which is intended to clarify Congress’s statutory definition of abusive practices, serves as the Bureau’s “first formal issuance” summarizing more than a decade’s worth of precedent on abusiveness.
Specifically, the policy statement highlights two categories of abusive prohibitions: (i) obscuring critical features that could materially interfere with or impede a consumer’s ability to understand terms or conditions that may prompt a consumer to reconsider signing up for certain products or services (e.g., burying or overshadowing important disclosures, filling disclosures with complex jargon, omitting material terms and conditions, physically preventing consumers from viewing notices, or engaging in digital interference through the use of “dark patterns” aimed at “making the terms and conditions materially less accessible or salient”); and (ii) leveraging a company’s knowledge or market power to take unreasonable advantage of a consumer relating to: gaps in understanding; unequal bargaining power; and consumer reliance (e.g., causing a consumer to face a range of potential harms, including monetary and non-monetary costs, taking advantage of a consumer’s lack of understanding as it relates to whether a debt is legally enforceable or when fees will be assessed, or preventing a consumer from switching service providers).
Additionally, the Bureau notes that in order to establish liability, the agency would not be required to show that “substantial injury” occurred—it only needs to show that a practice is considered “harmful or distortionary to the proper functioning of the market.”
Abusive acts or practices will focus on actions, CFPB Director Rohit Chopra explained in prepared remarks at the University of California Irvine Law School, whereas deception claims are more concerned with whether a company’s communications create a misleading net impression. “Congress prohibited companies from leveraging unequal bargaining power, and that includes consumer reporting companies, servicers, and debt collectors who use the fact that their customers are captive to force people into less advantageous deals, extract excess profits, or reduce costs by providing worse service than they would provide if they were competing in an open market,” Chopra added.
The Bureau will receive comments on the policy statement through July 3.
OFAC settles with digital platform on sanctioned transactions
On March 31, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $72,230 settlement with a global digital trading platform to resolve allegations that it processed transactions for customers who self-identified as being located in Iran or Cuba, or were employees of the Government of Venezuela (GoV). OFAC’s web notice stated that between March 2017 and May 2022, the company, or certain of its non-U.S. affiliates, allegedly maintained accounts for customers who submitted information showing their locations were in a sanctioned jurisdiction. OFAC further maintained that the company violated the Venezuela Sanctions Regulations by processing transactions on behalf of two customers who self-identified as employees of the GoV. OFAC claimed, among other things, that the company implemented inadequate compliance processes to identify, analyze, and address risks.
In its web notice, OFAC stated that it determined that “the violations were voluntarily self-disclosed and were non-egregious.” OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook numerous remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.
The company issued the following response: “We appreciate that OFAC recognized our full cooperation and remediation of the issues involved in this matter. These were self-identified and self-reported matters that reflect the rigor of our compliance review processes.”
Orrick represented the company in this matter.