InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado issues remote work guidance to collection agencies
On August 19, the Colorado attorney general published updated guidance on remotely working for employees of entities regulated by the Consumer Credit Unit. Memorandum HB 22-1410, which was signed by the governor on June 7, amended Colorado’s Uniform Consumer Credit Code so that a supervised lender licensee may permit its employees to work from a remote location, so long as the licensee complies with certain requirements. The memorandum also provided that the March 2020 guidance issued by the Consumer Credit Unit Administrator for employees of regulated entities during the COVID-19 pandemic “remains in effect for regulated entities not covered by HB22-1410, including collection agencies, debt management providers, and student loan servicers, and will remain in effect until the last day of the 2023 legislative session of the 74th General Assembly, May 10, 2023.” The memorandum also noted that “due to concerns regarding the COVID-19 outbreak, individuals who work for regulated entities may be required, or wish, to work from home to avoid further spread of the outbreak, even though their homes are not licensed as branches.”
The memorandum also disclosed that the state will not take any administrative, disciplinary, or enforcement actions for individuals working at home in what are technically unlicensed branches as long as certain criteria are met: (i) “The Colorado activity is conducted from the home location of an individual working on behalf of an entity who is licensed, registered, or files notification with the Administrator”; (ii) “The individual is working from home due to a reason connected to the Covid-19 outbreak and has informed the regulated entity in writing”; (iii) “None of the Colorado activity will be conducted in person with members of the public at the home location”; (iv) “Individuals working from home will not advertise, receive official mail directly, or permanently store any books or records at their remote location”; (v) “The Colorado licensee shall at all times exercise reasonable supervision of the licensable activity being performed at the home office and ensure sufficient safeguards to protect consumer information and data security”; and (vi) “The individual ceases conducting the activity from the home location as soon as reasonably possible, consistent with recommendations from the CDC, CDPHE, and applicable state health departments.”
Colorado reminds collection agencies about medical law
On August 16, the Colorado attorney general published a memorandum reminding collection agency licensees and interested parties that HB21-1198 becomes effective September 1. HB21-1198, among other things, amends the Colorado Fair Debt Collection Practices Act to add a new unfair practice—attempting to collect a debt that violates certain HB21-1198 requirements. The bill also creates requirements for notice and certain limitations on collections of medical debt. Specifically, the bill enacts healthcare billing requirements for indigent patients who are treated, but not reimbursed, through the state’s indigent care program and sets forth requirements before any collection proceeding may be initiated against an indigent patient.
California fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
District Court sends cryptocurrency hack suit to arbitration
On August 24, the U.S. District Court for the Eastern District of New York granted a motion to compel arbitration in an action claiming that a mobile communications company’s failure to protect the personal information of a cryptocurrency company founder allowed a hacker to steal $8.7 million in cryptocurrency. The cryptocurrency company and its founder sued the defendant citing violations of the Federal Communications Act and the New York Consumer Protection Act, along with numerous negligence claims. Plaintiff alleged that due to lack of safeguards, a hacker conducted an unauthorized “SIM swap” and used the plaintiff’s personal information to access his cryptocurrency wallets and exchange accounts. Plaintiff further claimed that even though it reported the SIM swap to the defendant, “[m]ore attacks continued to succeed over the following years.” The defendant moved to compel arbitration claiming that the plaintiff electronically signed receipts agreeing to terms and conditions which require the arbitration of disputes unless a customer opts-out. The plaintiff countered that “he was not shown the full terms and conditions to his service; that he could not conduct a ‘complete review and inspection’ of the digital receipt because of the screen’s small size, resolution, and inadequate backlighting; that the displayed receipt did not permit hyperlinked review of the full terms; that the display did not affirmatively seek his consent to arbitration by requiring he press a button or check a box; that the full terms were not separately provided in another form; and that his consent was not otherwise confirmed by [defendant] personnel.”
The court found that had the plaintiff “simply thought he was signing a receipt for equipment purchases–and had no idea that any terms and conditions were displayed on the digital device he signed–the court might have concluded that there remained a question of fact suitable for resolution by a jury.” However, the court found that the plaintiff “never claimed that he was unaware that his transactions with [defendant] carried terms and conditions” nor did he allege that he never received “a notice indicating the existence of the terms” even though the court specifically asked the parties to establish these facts in limited discovery. Accordingly, the court ruled that the plaintiff was on notice of defendant’s terms and agreed to them, thus compelling arbitration.
Court grants summary judgment in payday lender suit
On August 23, a Municipal Court in Ohio granted a defendant’s motion for summary judgment in a case involving payday lending. According to the order, the plaintiff’s complaint alleged that the defendant, in April 2019, executed a Line of Credit and Security Agreement with a lender in the amount of $1,101, and agreed to repay amounts advanced within a 30-day billing cycle pursuant to certain fees and a 24.99 percent interest rate. The complaint further alleged that defendant failed to make timely payment, and thereafter plaintiff, as assignee of the lender, sought to enforce the agreement. In her answer, the defendant denied entering any such agreement and characterized the transaction as “a $500 loan,” asserting that this case “involves an illegal scheme by [the short-term cash lender, the mortgage lender, and the plaintiff] to issue and collect illegal payday loans under a scheme to attempt to evade compliance with new state lending laws. The plaintiff asserted counterclaims for violations of the Short-Term Loan Act, the Mortgage Loan Act, Ohio Consumer Sales Practices Act, and for civil conspiracy.
On motion for summary judgment, the defendant argued that she was entitled to judgment on “Plaintiff's complaint because the parties’ April 2019 agreement ‘is void because it was made in violation of Ohio lending and consumer laws.’” The defendant presented two arguments: (i) the lender is not licensed under the Short-Term Loan Act to issue a loan less than $1000; and (ii) the lender is “prohibited from engaging in acts or practices to evade the prohibition against Mortgage Loan Act registrants issuing loans for $1,000 or less or that have a duration of one year or less.”
In granting summary judgment for the defendant, the court found that the underlying transaction was an “open-end loan under the plain language” of the Mortgage Loan Act, and that it was not a loan for $1,000 or less or one with a duration of one year or less under the Mortgage Loan Act, but that by using the security agreement framework, the lender engaged in an act or practice to evade the Mortgage Loan Act’s prohibition. The court found that the evidence showed defendant went to the lender for a simple loan under $1,000 and was provided on that day a check for $501. The court found further that, “it would appear [the lender] gave Defendant what she was seeking, namely a short-term loan … but without complying with any of the myriad restrictions applicable to such loans under the Short-Term Loan Act.” The court held that the security agreement framework did not stand because the “legally convoluted” structure did not benefit the parties in any meaningful way, and “the only explanation the Court can discern as to why that structure was used is that it was a stratagem for eluding the restrictions of the Short-Term Loan Act that would have otherwise applied to the parties’ transaction.”
Biden announces student debt cancellation
On August 24, President Biden announced a three-part plan for student loan relief. According to the Fact Sheet, the cumulative federal student loan debt is around $1.6 trillion and rising for more than 45 million borrowers. The President announced that the Department of Education (DOE) will, among other things: (i) provide up to $20,000 in debt cancellation to Pell Grant recipients with loans held by the DOE; (ii) provide up to $10,000 in debt cancellation to non-Pell Grant recipients for borrowers making less than $125,000 a year or less than $250,000 for married couples; (iii) propose a new income-driven repayment plan and cap monthly payments for undergraduate loans at 5 percent of a borrower’s discretionary income; and (iv) “propos[e] a rule that borrowers who have worked at a nonprofit, in the military, or in federal, state, tribal, or local government, receive appropriate credit toward loan forgiveness.” For income-driven repayment, Biden announced that the DOE is proposing a rule to, among other things: (i) reduce to 5 percent from 10 percent the amount that borrowers have to pay each month for undergraduate loans; (ii) guarantee that borrowers making less than 225 percent of the federal minimum wage are not required to make payments on their federal undergraduate loans; (iii) forgive loan balances after 10 years of payments, instead of 20 years, for borrowers with original loan balances of $12,000 or less; and (iv) cover the borrower’s unpaid monthly interest so that no borrower’s loan balance will grow when making monthly payments, “even when that monthly payment is $0 because their income is low.” The Fact Sheet also noted that if all borrowers claim the relief to which they are entitled under this plan, these actions “will [p]rovide relief to up to 43 million borrowers, including cancelling the full remaining balance for roughly 20 million borrowers,” will benefit primarily low- and -middle income borrowers, assist borrowers of all ages, and help narrow the racial wealth gap and promote equity by targeting those with the highest economic need.
The same day, the DOE announced a final extension of the pause on student loan repayment, interest, and collections through December 31. As previously covered by InfoBytes, in April, Biden extended the moratorium on collecting student loans through August 31, about which the DOE stated will allow “all borrowers with the paused loans to receive a ‘fresh start’ on repayment by eliminating the impact of delinquency and default and allowing them to reenter repayment in good standing.”
Earlier this week, the DOE announced that it will provide over $10 billion in debt relief for over 175,000 borrowers in 10 months through the Public Service Loan Forgiveness (PSLF) program. The recent announcement follows changes the DOE announced in October 2021 (covered by InfoBytes here) that, among other things, gave qualifying borrowers a time-limited PSLF waiver that allowed all payments to count towards PSLF regardless of loan program or payment plan. These include payments made on loans under the Federal Family Education Loan (FFEL) Program or Perkins Loan Program. The recently announced changes provide that student borrowers receive credit for payments made on loans from FFEL, Perkins Loan Program, and other federal student loans. To qualify for the program under the temporary changes, such borrowers must apply to consolidate their loans into a Direct Consolidation Loan by October 31. Additionally, the DOE announced that “under the temporary changes, past periods of repayment count whether or not borrowers were on a qualifying repayment plan or whether or not borrowers made payments.” To date, $32 billion in student loan relief has been approved for over 1.6 million borrowers.
CFPB finds relationship between medical care assistance and debt collections
On August 24, the CFPB published a blog post exploring the connection between eligibility for financial assistance for medical care and the prevalence of medical collections. According to the Bureau, Americans spent $4.1 trillion on health care in 2020, and continue to incur significant medical expenses, despite private insurance coverage and government programs. The Bureau expects that number to reach $6.2 trillion by 2028. The Bureau found that as household incomes decrease, a higher percentage of consumers have medical collections. For example, the Bureau reported that of those with household earnings between $20,001 and $40,000 in 2018, consumers had at least one medical collection on their credit report. The Bureau also reported that among people in households with children and with incomes under $40,000, “38.1 percent had at least one medical collection on their credit report in December 2018,” which is approximately three times the rate for people without children earning the same amount. The Bureau noted that three nationwide credit reporting companies recently began removing paid medical collections from credit reports and will, starting in 2023, stop reporting medical collections below $500. However, the Bureau explained that many low-income consumers will not benefit from this change as their existing collections exceed $500, and therefore access to financial assistance continues to be important for such consumers. The Bureau concluded that more “research could explore the extent to which differences in legislative and regulatory environments influence the provision of financial assistance and lead to better financial outcomes for consumers.”
The same day, the Bureau announced that Director Rohit Chopra will host a virtual discussion to explore challenges around nursing home debt collection practices and the impact they can have on financial wellbeing on September 8. According to the Bureau, the discussion “is a chance for the CFPB to listen and learn about consumer advocates’ and individuals’ experiences with nursing home debt and debt collection practices.”
FTC will not extend comment period on NPRM seeking to ban auto lending junk fees and bait-and-switch tactics
On August 23, the FTC issued a decision declining to extend the public comment period for its notice of proposed rulemaking (NPRM) to ban “junk fees” and “bait-and-switch” advertising tactics related to the sale, financing, and leasing of motor vehicles by dealers. As previously covered by InfoBytes, the NPRM seeks to prohibit dealers from making deceptive advertising claims to entice prospective car buyers and would also: (i) prohibit dealers from charging fees for “fraudulent add-on products” and services that—according to the FTC—do not benefit the consumer; (ii) require clear, written, and informed consent (including the price of the car without any optional add-ons); and (iii) require dealers to provide full, upfront disclosure of costs and conditions, including the true “offering price” (the full price for a vehicle minus only taxes and government fees), as well as any optional add-on fees and key financing terms. Dealers would also be required to maintain records of advertisements and customer transactions. In declining to extend the comment period, the FTC said the public has been afforded “a meaningful opportunity to provide the Commission with comments regarding its rulemaking proposal.” The comment period will end September 12.
House Republican concerned about Treasury sanctions on virtual currency mixer
On August 23, Representative Tom Emmer (R-MN) sent a letter to Treasury Secretary Janet Yellen raising privacy and due process concerns related to recent “first-of-their-kind” sanctions issued against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency, including more than $455 million stolen by a Democratic People’s Republic of Korea state-sponsored hacking group that is separately subject to U.S. sanctions (covered by InfoBytes here). The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) said the sanctions resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” (Covered by InfoBytes here.)
Emmer stressed, however, that adding the company to OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List seemed to diverge from previous OFAC precedent since several of the company’s designated “smart contract addresses” do not appear to be a person, entity, or property, but rather are distributed technological tools that are not controlled by any entity or natural person. “OFAC has a long, commendable history of utilizing financial sanctions to enhance the national security of the United States,” the letter said. “Nonetheless, the sanctioning of neutral, open-source, decentralized technology presents a series of new questions, which impact not only our national security but the right to privacy of every American citizen.” Emmer referenced May 2019 guidance issued by FinCEN (covered by InfoBytes here), which he said drew “a distinction between ‘providers of anonymizing services’ (including ‘mixers’)” which are subject to Bank Secrecy Act obligations and “‘anonymizing software providers’” which are not. Emmer recognized that OFAC is not bound by FinCEN regulations, but said it is his understanding that the sanctioned company is “simply the anonymizing software deployed on the blockchain.”
Emmer requested clarification from Treasury on several questions, including the factors OFAC considers when designating technology to the SDN List and how OFAC plans to “uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanction to OFAC” because they “are smart contracts with no agency, corporate or personal, and as such cannot speak for themselves or those whose funds they hold.”