InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC issues Zimbabwe-related sanctions
On September 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13469 against a Zimbabwe individual for his role in undermining Zimbabwe’s democratic processes and institutions. OFAC also removed eleven others from the Specially Designated Nationals List (SDN List) under the Zimbabwe sanctions program. According to OFAC, the sanctioned individual, among other things, undermined political parties that opposed the policies of the ruling Zimbabwe African National Union-Patriotic Front party, and, in 2020, supported Zimbabwe security services’ use of pressure and intimidation on prominent opposition figures. As a result of the sanctions, all property and interests in property belonging to the sanctioned individual that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned 50 percent or more by one or more designated persons” are blocked. Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
2nd Circuit requires second look at “design and content” of online user agreement
On September 14, the U.S. Court of Appeals for the Second Circuit reversed a district court’s order denying a credit union’s motion to compel arbitration in a case involving the “unique question” of “whether and how to address incorporation by reference in web-based contracts under New York law.” The plaintiff claimed that the credit union wrongfully assessed and collected overdraft and insufficient funds fees on checking accounts that were not actually overdrawn. After the credit union moved to compel arbitration pursuant to a mandatory arbitration clause and class action waiver provision contained in the account agreement, the plaintiff argued that she was not bound by these provisions because they were not included in the original agreement and the credit union did not notify her when it added them to the agreement. According to the credit union, the plaintiff was on inquiry notice of the modified agreement because she separately agreed to an internet banking agreement that incorporated the modified account agreement by reference, and because the modified account agreement was published on the credit union’s website, which the plaintiff used for online banking. The district court disagreed, finding, among other things, that the hyperlink and language related to the account agreement appeared to be “buried” in the internet banking agreement.
On appeal, the 2nd Circuit held that the district court “erred in engaging in the inquiry notice analysis, which requires an examination of the ‘design and content’ of the webpage, without reviewing the actual screenshots of the web-based contract.” Recognizing that the internet banking agreement was a “clickwrap” or a “scrollwrap” agreement, the appellate court explained that it has “consistently upheld such agreements because the user has affirmatively assented to the terms of the agreement by clicking ‘I agree’ or similar language.” While the plaintiff did not dispute that she signed up for internet banking, this did not end the court’s analysis; according to the 2nd Circuit, when addressing questions concerning digital contract formation, “courts also evaluate visual evidence that demonstrates ‘whether a website user has actual or constructive notice of the conditions.’” The credit union did not provide evidence showing how the internet banking agreement was presented to users—thereby preventing the district court from assessing whether the relevant language and hyperlink were clear and conspicuous. The 2nd Circuit, therefore, instructed the district court to consider on remand the design and content of the internet banking agreement “as it was presented to users” to determine whether the plaintiff agreed to its terms, and to assess whether the account agreements are “clearly identified and available to the users” based on applicable precedents regarding inquiry notice of terms in web-based contracts.
CFPB studying BNPL growth
On September 15, the CFPB announced plans to consider issuing interpretive guidance or regulations to ensure that buy now, pay later (BNPL) lenders follow many of the same consumer protection measures that exist for credit cards. “We will be working to ensure that borrowers have similar protections, regardless of whether they use a credit card or a Buy Now, Pay Later loan,” CFPB Director Rohit Chopra said in the announcement. The Bureau described BNPL products as a form of interest-free credit that “serves as a close substitute for credit cards” and allows consumers to split a retail transaction into smaller, interest-free installments that are repaid over time.
Recognizing that BNPL products are a rapidly growing alternative form of credit for online retail purchases, the Bureau published a report providing key insights into the industry. According to the report, the number of BNPL loans originated from 2019 to 2021 in the US grew 970 percent, from 16.8 million to 180 million. The total dollar volume of these loans grew by 1,092 percent in that period, from $2 billion in 2019 to $24.2 billion in 2021, the report said, noting that 73 percent of applicants were approved for credit in 2021, up from 69 percent in 2020. Additionally, the report found that 89 percent of consumers using BNPL loans linked their accounts to their debit cards, and that late fee policies vary by issuer.
The Bureau raised several concerns with BNPL products in the report, including (i) inconsistent standardized cost-of-credit disclosures, minimal dispute resolution rights, a forced opt-in to autopay, and occurrences where consumers are assessed multiple late fees on the same missed payment; (ii) risks related to data harvesting and monetization, as many BNPL lenders shift business models toward proprietary app usage, allowing lenders “to build a valuable digital profile of each user’s shopping preferences and behavior”; and (iii) concerns over consumers taking out several loans during a short period of time at multiple lenders. According to the Bureau, because most BNPL lenders currently do not furnish data to the major credit reporting companies, many lenders are unaware of a consumer’s current liabilities when deciding whether to originate new loans.
The Bureau noted in its announcement that while BNPL lenders are currently subject to some federal and state oversight, compliance and licensing requirements vary. In addition to exploring potential new regulatory guidance, the Bureau said it plans to identify surveillance practices that BNPL lenders should seek to avoid, and it will continue to address the development of appropriate and accurate credit reporting practices for the industry. Chopra further announced that the Bureau is inviting BNPL lenders to self-identify if they wish to be examined for any potentially problematic business practices. The Bureau is also reviewing its authorities to conduct examinations on a compulsory basis and will work with state regulators that license nonbank finance companies on examinations of BNPL firms.
Consumer groups urge Chopra to limit forced arbitration
On September 13, a collation of consumer advocacy groups sent a letter to CFPB Director Rohit Chopra, urging him to limit the use of forced arbitration in consumer contracts in cases where consumers have been “victimized by banking abuses or fraud.” Pursuant to the Dodd-Frank Act, Congress directed the Bureau to study the use of forced arbitration clauses in the consumer finance market and authorized it to write a rule to limit or restrict the practice, which resulted in a 2015 Arbitration Study report (covered by InfoBytes here). The report, according to the letter, “found that tens of millions of consumers were subject to forced arbitration clauses and class action bans in their credit card, deposit account, prepaid account, student loan, payday loan, and wireless carrier contracts,” and, among other things suggested only a small minority of consumers actually filed for forced arbitration. The letter argued that mandatory arbitration clauses in banks’ consumer contracts are “blocking millions of consumers from seeking justice,” and urged the Bureau to use its authority to ensure that “consumers are empowered to act as a group and on their own in the courts.” The letter concluded by urging the Bureau to “rein in forced arbitration in financial services.”
DOJ fines bank in "first-ever" FCA settlement over PPP loan
On September 13, the U.S. Attorney’s Office for the Southern District of Texas announced an agreement with a bank to pay approximately $18,600 to resolve allegations that it violated the False Claims Act (FCA). This “is believed to be the nation’s first settlement with a Paycheck Protection Program (PPP) lender pursuant to the [FCA],” the announcement said. As previously covered by a Buckley Special Alert, in March 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act, which provided a host of relief measures for small businesses, including $349 billion for Small Business Administration loan forgiveness, guarantees, and subsidies. According to the announcement, the bank approved and processed a $213,400 PPP loan for a clinic, despite knowing that the sole owner of the clinic was facing criminal charges arising from his practice of prescribing opioids and was therefore ineligible to apply for the PPP loan. The announcement noted that “the bank processed the application anyway and falsely granted the money to [the sole owner].” The bank received a 5 percent processing fee from the government, including $10,670 to which it was not entitled. The owner of the clinic entered a $523,000 settlement in November 2021, resolving allegations that he used false statements on his PPP application and allegedly submitted false claims for the placement of electroacupuncture devices. In 2022, the owner also repaid the PPP loan in full. According to the announcement, the settlement reflects the bank’s “efforts to cooperate with the government’s investigation and provide relevant facts along with its implementation of additional compliance measures.”
District Court grants final approval in data breach suit
On September 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement in a data breach suit. As previously covered by InfoBytes, in July 2019, a national bank (defendant) announced that an unauthorized individual had obtained the personal information of credit card customers and applicants. In May 2020, a magistrate judge ordered the defendant to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the defendant’s 2019 data breach, concluding the report was not entitled to work product protection. According to the final settlement, members of the settlement class, which includes approximately 98 million U.S. residents whose information was compromised in the breach disclosed in July 2019, will receive cash compensation for out-of-pocket losses traceable to the data breach, cash compensation for time spent addressing with issues related to the breach, and at least three years of identity theft defense and resolution services. Counsel can seek fees and court costs of 35 percent of the settlement fund. Additionally, each of the eight settlement class representatives could receive $5,000 in service awards, and the other plaintiffs who were deposed by the defendant will receive service awards.
OFAC publishes additional guidance related to sanctioned virtual currency “mixer”
On September 13, the U.S. Treasury Department’s Office of Foreign Assets Control published new cyber-related frequently asked questions concerning transactions involving a virtual currency mixer sanctioned last month for allegedly laundering more than $7 billion in virtual currency since 2019. As previously covered by InfoBytes, the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and provided financial, material, or technological support for, or in support of, cyber-enabled activity contributing to a significant threat to the national security, foreign policy, or economic health or financial stability of the U.S. The FAQs outline requirements for completing virtual currency transactions without violating U.S. sanctions regulations, discuss whether OFAC reporting obligations apply to transactions involving unsolicited and nominal amounts of virtual currency, and reiterate that transactions involving identified virtual currency wallet addresses are prohibited absent a specific OFAC license. The FAQs noted that as part of the SDN List entry, OFAC included as identifiers certain virtual currency wallet addresses associated with the company as well as the company’s URL address. OFAC provided additional clarification on interactions with open-source code that does not involve a prohibited transaction with the sanctioned company.
OFAC sanctions individuals and entities connected to IRGC-QF
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions as part of a joint action with the DOJ, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency, against ten individuals and two entities for their roles in conducting malicious cyber acts, including ransomware activity. The individuals and entities designated are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), which “is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities.” OFAC also noted that a joint cyber security advisory was published to highlight continued malicious cyber activity by advanced persistent threat actors that the authoring agencies assess are affiliated with IRGC. As a result of the sanctions, all property, and interests in property of the designated individuals and entities, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated persons. OFAC further warned that engaging in certain transactions with the individuals and entities designated today entails risk of additional sanctions.
District Court orders college operator to comply with CFPB CID
On September 13, the U.S. District Court for the District of Utah ordered the operator of several defunct colleges to cooperate with a CFPB civil investigative demand (CID) for potential violations of the Consumer Financial Protection Act. In 2019, the Bureau issued a CID to the operator seeking information on its private student loan financing program, as well as litigation concerning the loan program dating back to 2012, to aid its investigation into whether the program constituted unfair, deceptive, or abusive acts or practices. The operator argued that the CID was unenforceable for several reasons, including that it was “unreasonably oppressive” and that the legality of its program had already been litigated in state action. The operator also argued that because the Bureau’s leadership structure rendered it unconstitutional, it lacked authority to enforce the CID. A magistrate judge’s recommendation narrowed the scope of the CID, but the operator continued to object, stating that a severe reduction in staff created a loss of “significant institutional knowledge” about the loan program. After the U.S. Supreme Court issued its ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert ), the Bureau’s director ratified the CID. The operator then raised new objections claiming the Bureau’s funding structure violates the U.S. Constitution’s separation of powers, and therefore the agency lacks valid authority to enforce the CID.
The court rejected the operator’s argument, writing that dicta in the Supreme Court’s decision in Seila Law “suggests the Bureau’s funding structure is not an unconstitutional delegation of power from Congress to the Executive Branch.” According to the court, while the majority opinion in Seila Law made note of the CFPB’s funding structure, it treated it “merely as an aggravator” of the for-cause removal protection issues and “went as far as saying the Bureau’s constitutional infirmity would ‘disappear’ if ‘the Director were removable at will by the President.’”
With respect to burdensomeness, the court said the operator has failed to show evidence establishing an unreasonable burden in its objections, and that, moreover, it “has had more than three years’ notice to preserve any information it thought may be relevant to the Bureau’s investigation.” The court further stressed that the CID does not become overly burdensome simply because the operator shuttered its campuses thereby allegedly relinquishing “institutional knowledge” concerning its own education loan program prior to complying with the CID. The court granted the operator a 90-day extension to comply with the CID.
Democrats want PLUS loans in relief plan
On September 12, eight Senate Democrats sent a letter to President Biden, urging him to extend student-loan debt relief to roughly 3.6 million borrowers under the Parent Loan for Undergraduate Student (PLUS) loan program. Biden’s debt relief plan instructed the Department of Education (DOE) to, among other things: (i) provide up to $20,000 in debt cancellation to Pell Grant recipients with loans held by the DOE; (ii) provide up to $10,000 in debt cancellation to non-Pell Grant recipients for borrowers making less than $125,000 a year or less than $250,000 for married couples; and (iii) propose a new income-driven repayment (IDR) plan and cap monthly payments for undergraduate loans at 5 percent of a borrower’s discretionary income. Additionally, for IDR plans, Biden’s August announcement instructed the DOE to propose a rule to, among other things, reduce the amount that borrowers have to pay each month for undergraduate loans from 10 percent to 5 percent. The Senators expressed their concern that Biden’s recent actions do not appropriately cover Parent PLUS borrowers and urged his administration and the DOE to “to incorporate Parent PLUS borrowers in any administrative improvements to federal student loan programs, including the Public Service Loan Forgiveness and Income-Driven Repayment programs, extensions or creation of waivers, and in the implementation of executive actions to provide student debt relief.”