InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
International medical waste provider agrees to $84 million FCPA settlement
On April 20, the DOJ entered into a deferred prosecution agreement (DPA) with an Illinois-based international medical waste management company, in which the company agreed to pay a fine of approximately $52.5 million related to a conspiracy to violate the FCPA’s anti-bribery provision and books and records provisions. Together with a related resolution with the SEC, and with various foreign authorities, the total resolution will reach over $84 million.
According to the DOJ, between 2011 and 2016, the company participated in a scheme to bribe officials at government agencies and instrumentalities in Brazil, Mexico, and Argentina to obtain and retain business and to secure improper advantages in connection with providing waste management services. An executive at the company’s Latin America division directed employees in the company’s offices in Brazil, Mexico, and Argentina to pay bribes, typically in cash, that were calculated as a percentage of the underlying contract payments owed to the company from government customers.
As part of the DPA, the company agreed to cooperate with the DOJ’s ongoing or future investigations, to improve its compliance program, and to retain an independent compliance monitor for two years, followed by self-reporting for the remainder of the term.
The DOJ noted that in addition to cooperation and remediation the resolution reflects a number of factors including, the company’s (i) “failure to voluntarily and timely disclose the conduct that triggered the investigation”; and (ii) “the nature, seriousness, and pervasiveness of the offense.”
The SEC simultaneously announced a resolution of a related matter, in which the company consented to a cease-and-desist order finding violations of the FCPA’s anti-bribery, books and records, and internal accounting controls provisions. According to the SEC, the scheme also included sham third-party vendors who used false invoices to conceal cash payments to government clients. In addition, the company failed to have sufficient internal accounting controls in place to prevent or detect the misconduct and failed to implement its FCPA policies or procedures prior to 2016. Under the terms of the order, the company agreed to pay $28.2 million in disgorgement and prejudgment interest, of which up to $4.2 million will be offset by disgorgement paid to foreign authorities.
OFAC sanctions facilitators of Russian sanctions evasion
On April 20, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14024 against several entities and numerous individuals for attempting to evade sanctions imposed by the U.S. and its international partners on Russia. Included in the designations are a Russian commercial bank, a global network comprised of more than 40 individuals and entities led by a previously designated Russian oligarch (“including organizations whose primary mission is to facilitate sanctions evasion for Russian entities”), and several companies operating in Russia’s virtual currency mining industry. According to OFAC, this is the first time a virtual currency mining company has been sanctioned. In coordination with OFAC’s sanctions, the Department of State took further action by imposing visa restrictions on 635 Russian nationals and three Russian Federation officials for their involvement in human rights abuses, as well as 17 individuals responsible for undermining democracy in Belarus.
As a result of the sanctions, all property and interests in property belonging to the sanctioned entities in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC noted that U.S. persons are prohibited from participating in transactions with the sanctioned persons unless authorized by a general or specific license.
On the same day, OFAC issued new frequently asked question guidance clarifying obligations for credit card operators with regard to payment cards issued by sanctioned Russian financial institutions. OFAC also published two Russia-related general licenses: (i) General License 28 authorizes certain transactions involving a public joint stock company that are “ultimately destined for or originating from Afghanistan”; and (ii) General License 29 authorizes the wind down of transactions involving the same public joint stock company.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
CRS report raises privacy concerns regarding digital wallets
On April 18, the Congressional Research Service released an overview of digital wallet technology and related cybersecurity, data privacy and consumer protection policy considerations. Digital wallets are software applications that store payment or account details to facilitate traditional payments using bank and credit card details, and also cover transfers from consumers’ bank accounts to retailers and peer-to-peer and cryptocurrency transactions. One issue the report identified is that companies that offer digital wallets and payment companies often collect information about users and may share data with affiliates and nonaffiliates unless users opt out. As previously covered by InfoBytes, the CFPB is developing proposed rulemaking around sharing consumer financial data, but it remains unclear whether the rules would apply to digital wallet companies. The report also stressed that because funds stored on digital wallets are not deposits, digital wallets are generally not covered by deposit insurance. And while credit, debit, or prepaid cards stored on a mobile wallet are covered by the EFTA and TILA (and implementing Regulations E and Z), those statutes do not currently cover cryptocurrency wallets. The report explained that “[c]ryptocurrency transactions are not subject to Regulation E primarily because these are not bank products and also because cryptocurrencies are not typically used for consumer payments.”
District Court denies motion for corrective notice in class action data breach case
On April 18, the U.S. District Court for the District of South Carolina denied the plaintiffs’ motion for corrective notice in a putative class action, ruling that the defendant cloud computer service provider is not required to issue a corrective notice related to a 2020 data breach. In 2020, a data breach exposed the personal data of individuals whose information was managed by the defendant and provided to the defendant’s clients. The plaintiffs alleged that the defendant’s “deficient” security program led to the data breach, and that the defendant failed to implement security measures to mitigate the risk of unauthorized access, used outdated servers, stored obsolete data, and maintained unencrypted data fields. The judicial panel on multidistrict litigation eventually consolidated several putative class actions arising from the data breach for coordinated pretrial proceedings. Plaintiffs argued that corrective notice to customers was appropriate, claiming the defendant “made numerous misrepresentations” related to the type of data stolen and performed “an unreliable risk of harm analysis that did not actually take into account the harm class members faced as a result of the breach.” The court disagreed, ruling that such corrective notice is improper at this stage. “Ultimately, the Federal Rules of Civil Procedure do not authorize Plaintiffs’ request to widely disseminate a notice endorsing their position on dispositive issues to [Defendant’s] customers, who are not parties or putative class members in this case, where Plaintiffs have not shown that [Defendant] made misleading communications regarding this litigation,” the court ruled.
District Court compels college operator to testify in CFPB CID challenge
On April 20, a magistrate judge for the U.S. District Court for the District of Utah issued a report and recommendation in a CFPB action seeking to compel testimony from a private, non-profit operator of several colleges as part of its petition to enforce a 2019 civil investigative demand (CID). The CID seeks information about (i) the operator’s private student loan program to determine whether its private financing program violated federal consumer financial laws; and (ii) litigation involving the operator’s student loan program in which it has been a party in since 2012. The CID also sought testimony for what it said was an investigation into whether the operator had misled student borrowers about the offered loans or signed them up for loans without their knowledge or consent—a potential UDAAP violation. Former Bureau Director Kathleen Kraninger previously denied a petition to set aside the CID (and ultimately ratified its enforcement), but offered to narrow the CID’s scope to only require testimony regarding the first of these topics on the condition that the operator would testify as scheduled. The Bureau filed a petition to enforce the CID after the operator failed to comply. The operator challenged the Bureau’s single-director structure (which was addressed in rulings issued by the U.S. Supreme Court in Seila Law v. CFPB and Collins v. Yellen, covered by a Buckley Special Alert here and InfoBytes here), and argued, among other things, that the CID was “overly broad” and “burdensome.”
The magistrate judge rejected the majority of the operator’s arguments, which included constitutional arguments, lack of relevance, abuse of process, and that the demand is too indefinite, overly broad and burdensome. The magistrate judge concluded that enforcing the compromise offered by the Bureau back in 2019 would be an equitable solution and give the agency the necessary information without imposing undue burden, explaining that the defendant “has now had multiple years to prepare witnesses for deposition and should not be unduly burdened to answer questions regarding its own private-student-loan program.”
District Court grants final approval to class action data breach settlement against national convenience store chain
On April 20, the U.S. District Court for the Eastern District of Pennsylvania granted final approval to a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. As previously covered by InfoBytes, class members claimed that “despite the foreseeability of a data breach” the defendant, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” In May 2021, the court ruled that the defendant must face certain claims filed by a group of financial institutions (covered by InfoBytes here). In August, the court granted preliminary approval of the settlement, which required the defendant to provide monetary relief to class members totaling approximately $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards, in addition to requiring the defendant to take additional measures for a period of two years to prevent future unauthorized intrusions. The settlement includes three tiers of customers, who will receive gift cards for either $5 or $15, or $500 in cash, depending on the level of their injury caused by the data breach.
CFPB, New York sue remittance provider
On April 21, the CFPB and New York attorney general filed a complaint against a remittance provider (defendant) for allegedly violating the Electronic Funds Transfer Act and its implementing Regulation E and the Remittance Rule (the Rule) and the Consumer Financial Protection Act (CFPA), among various consumer financial protection laws. The Bureau’s announcement called the defendant a “repeat offender” citing that in 2018, the FTC filed a motion for compensatory relief and modified order for permanent injunction against the defendant, which alleged that it failed to adopt and implement a comprehensive fraud prevention program mandated by the 2009 order (covered by InfoBytes here). The CFPB complaint alleges that from October 2018 through 2022, the defendant: (i) violated the Remittance Rule requirements by repeatedly failing “to provide fund availability dates that were accurate, when the Rule required such accuracy”; (ii) “repeatedly ignored the Rule’s error-resolution requirements when addressing notices of error from consumers in New York, including in this district, and elsewhere;” and (iii) failed to establish policies and procedures designed to ensure compliance with money-transferring laws, in violation of Regulation E. The complaint further noted that the defendant’s “own assessments of consumers’ complaints showed that the dates Defendants disclosed to consumers, repeatedly, were wrong,” and that the defendant “found multiple delays in making funds available to designated recipients, including delays that constituted errors under the Rule,” among other things. Finally, the Bureau claims that the defendant violated the CFPA “by failing to make remittance transfers timely available to designated recipients or to make refunds timely available to senders.” The Bureau’s complaint seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties. According to a statement released by CFPB Director Rohit Chopra, "the remittance market is ripe for reinvention, and the CFPB will be examining ways to increase competition and innovation for the benefit of both families and honest businesses, while also avoiding creating a new set of harms."
CFPB releases medical debt report
On April 20, the CFPB released a report analyzing complaints submitted to the Bureau in 2021 regarding medical billing, collection, and consumer reporting practices. The report describes the difficulties that consumers face in identifying, verifying, or eliminating the debt. The report also noted that most of the complaints could be sorted into two main themes: (1) the debt was already paid, does not belong to the consumer in question, or is otherwise incorrect, and (2) that information included in collection notices raised concerns. According to the Bureau, key findings of the report include, among other things: (i) from 2018 to 2021, complaints regarding collection attempts on medical bills that were not owed increased by 31 percent; (ii) approximately 15 percent of debt collection complaints in 2021 were about attempts to collect a medical bill; and (iii) “consumers often expressed surprise and frustration about finding out about old or small medical debts when checking their credit report.” The report is the most recent among statements and reports from the CFPB regarding medical debts and credit reporting. As previously covered by InfoBytes, in March the CFPB released a report, Medical Debt Burden in the United States, that cited research finding that $88 billion in medical debt on consumer credit reports, accounting for 58 percent of all uncollected debt tradelines reported to credit reporting agencies.
9th Circuit: Networking site cannot deny data scraping access to publicly available profiles
On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.
The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.
On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.
In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest. The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.
HUD announces $15,000 payment for FHA violations
On April 19, HUD announced a conciliation agreement with a national bank and one if its loan officers to resolve allegations that respondents violated the Fair Housing Act (FHA) by denying a mortgage loan to a couple until after one of the applicants returned to work from maternity leave. Under the FHA, it is unlawful to discriminate in the terms, conditions, or privileges associated with the sale of a dwelling on the basis of race, color, national origin, religion, sex, disability, or familial status, including denying a mortgage loan because an applicant is on maternity leave. In addition to requiring a $15,000 payment be made to the couple, the bank must “adhere to a policy wherein applicants on temporary leave, including parental leave, can be approved for a mortgage prior to returning to active work status,” and provide fair lending training to employees. The conciliation agreement does not constitute an admission by respondents or evidence of a finding by HUD of a violation of the FHA.