InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
FTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the company’s] operation and marketing of [the company], and whether Commission action to obtain monetary relief would be in the public interest.” The agency issued a virtually identical CID to the company on May 11 seeking details on what the company disclosed to consumers regarding the security of their crypto assets and how they have handled customer complaints. The FTC noted that investigation includes inquiries regarding the company’s “representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts especially in light of a publicly reported 2021 security breach that resulted in consumer loss of more than $200 million in cryptocurrency.” Among other things, the FTC is seeking to determine if the business practices of the operation in marketing and operating the company “constituted ‘unfair [or] deceptive . . . acts or practices . . . relating to the marketing of goods and services,’ or ‘[m]anipulative [c]onduct,’ ‘on the Internet’ (Resolution No. 2123125); constituted “deceptive or unfair acts or practices related to consumer privacy and/or data security’ in violation of Section 5 of the FTC Act (Resolution No. 1823036); or violated the GLB Act, its implementing rules, or Section 5 regarding ‘the privacy or security of consumer [financial] information.”
SEC issues more than $16 million in whistleblower awards
On August 9, the SEC announced whistleblower awards totaling more than $16 million to two whistleblowers for providing information and assistance in a successful SEC enforcement action. According to the redacted order, the SEC awarded approximately $13 million to one of the whistleblowers for prompting the opening of the investigation and providing critical information, including information on “difficult to detect” violations. The whistleblower also identified key witnesses and helped staff “understand complex fact patterns and issues related to the matters under investigation.” The second whistleblower received a more than $3 million award for submitting important new information during the course of the investigation, which provided the staff a more complete picture. The SEC attributed the lower award amount to the fact that the second whistleblower delayed reporting the wrongdoing for several years, whereas the first whistleblower “persistently alerted the Commission to the ongoing abusive practices for a number of years before the investigation was opened.”
The SEC has awarded more than $1.3 billion to 281 individuals since issuing its first whistleblower award in 2012.
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
10th Circuit says materiality is determined through the perspective of the “reasonable consumer”
On August 8, the U.S. Court of Appeals for the Tenth Circuit upheld the dismissal of an FDCPA action, concluding that an alleged false or misleading communication must be material in order to be considered a violation of the statute, and that materiality is determined through the perspective of the “reasonable consumer.” The plaintiff, a student loan debtor, alleged that he received a letter attempting to collect on debt from the defendant. The defaulted debt in question had been sold to a federal student-loan guaranty agency (creditor), which contracted with the defendant to collect the debt. According to the plaintiff, the letter appeared as if it were sent by the creditor, primarily because the letter displayed the guaranty agency’s name and logo instead of the defendant’s own information. According to the plaintiff, the letter violated several sections of the FDCPA, which prohibit the use of false representations or deceptive means to collect a debt or obtain information concerning a consumer and require a debt collector to use their “true name.” The district court dismissed the action for failure to state a claim, ruling that the letter in question was not misleading and that the plaintiff failed to establish that the defendant used materially misleading, unfair, or unconscionable means to collect the debt.
On appeal, the 10th Circuit held that “a reasonable consumer would not be misled,” because the letter (i) identifies the creditor as “the holder of a defaulted federally insured student loan”; (ii) states that the letter “is an attempt, by a debt collector, to collect a debt”; and (iii) clarifies that the defendant “is assisting [the creditor] with administrative activities associated with this administrative wage garnishment.” Moreover, “[e]ven assuming a reasonable consumer would believe [the creditor] and not [the defendant] sent the letter, [the plaintiff] fails to demonstrate how that would frustrate the reasonable consumer’s ability to respond intelligently,” the appellate court wrote.
In its determination, the 10th Circuit also considered differences related to the “least sophisticated consumer” and a “reasonable consumer” in determining how materiality should be measured. According to the appellate court, even the courts that apply the least sophisticated consumer standard tend to agree that the consumer’s interpretation must be reasonable, thereby incorporating aspects of the reasonable consumer standard. The 10th Circuit pointed out that while many courts have referenced the “least sophisticated consumer” in their rulings, few actually use that perspective. “In applying the least sophisticated consumer standard, courts typically begin by noting the least sophisticated consumer is not an expert but then quickly explain he is not actually the least sophisticated consumer,” the 10th Circuit said, adding that “[i]n reality, the nebulous least sophisticated consumer standard is simply a misnomer. A few circuits, recognizing problems with the least sophisticated consumer standard, instead look to the ‘unsophisticated consumer.’” The appellate court concluded that, assuming “the reasonable consumer would read a communication in its entirety and make sense of a communication by assessing it as a whole and in its context,” no reasonable consumer would have been materially misled.
CFPB fines fintech for algorithm-induced overdraft charges
On August 10, the CFPB announced a consent order against a California-based fintech company for allegedly using an algorithm that caused consumers to be charged overdrafts on their checking accounts when using the company’s personal finance-management app. According to the Bureau, the app promotes automated savings with a proprietary algorithm, which analyzes consumers’ checking-account data to determine when and how much to save for each consumer. The app then automatically transfers funds from consumers’ checking accounts to accounts held in the company’s name. The Bureau asserted, however, that the company engaged in deceptive acts or practices in violation of the CFPA by (i) causing consumers’ checking accounts to incur overdraft charges from their banks even though it guaranteed no overdrafts and represented that its app never transferred more than a consumer could afford; (ii) representing that it would reimburse overdraft charges (the Bureau claims the company has received nearly 70,000 overdraft-reimbursement requests since 2017); and (iii) keeping interest that should have gone to consumers even though it told consumers it would not keep any interest earned on consumer funds. Under the terms of the consent order, the company is required to provide consumer redress for overdraft charges that it previously denied and must pay a $2.7 million civil penalty.
SEC orders cryptocurrency company to register tokens as securities or pay more than $30 million fine
On August 9, the SEC issued a cease and desist order to a cryptocurrency company accused of allegedly holding an unregistered securities offering. The company raised approximately $30.9 million by selling cryptocurrency tokens to investors through an initial coin offering from November 2017 to January 2018. The SEC asserted, however, that the tokens were offered and sold as investment contracts (and therefore should be considered securities), and that the company’s offering constituted an unregistered securities offering. “A purchaser in the offering of [the tokens] would have had a reasonable expectation of obtaining a future profit based upon [the company’s] efforts in using the proceeds from the offering to create an online identity attestation system that would increase the token’s value on crypto asset trading platforms,” the SEC said in the order, which alleged violations of Sections 5(a) and 5(c) of the Securities Act. While at the time of the offering the company required certain purchasers to agree that they were buying the tokens for “utility” rather than an investment, the SEC argued that the company’s marketing promotions and statements made by early purchasers indicated that purchasers “had a reasonable expectation of profit.” Under the terms of the order, the company agreed to register its tokens with the SEC and notify purchasers in its offering that they may be able to claim a refund on their token purchases. The company also agreed to pay a $300,000 civil penalty. If the company fails to take these actions it faces a $30.9 million fine, minus the amount already paid to the SEC or to token purchasers, the order stated. The SEC noted that the company has already voluntarily taken steps to prepare for registration.
OFAC sanctions “mixer” for laundering over $7 billion in virtual currency
On August 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency since 2019. According to OFAC, this amount includes more than $455 million stolen by a previously sanctioned Democratic People’s Republic of Korea state-sponsored hacking group (covered by InfoBytes here). OFAC stated that the designations resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, added that the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and stressed that Treasury “will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” As previously covered by InfoBytes, in 2020, Treasury’s FinCEN penalized a bitcoin mixer $60 million for violating the Bank Secrecy Act.
As a result of the sanctions, all property and interests in property of the sanctioned entity that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons.” OFAC noted that its regulations prohibit U.S. persons from participating in transactions with designated persons unless authorized by a general or specific license issued by OFAC or exempt.
Treasury further stressed that players in the virtual currency industry should take a risk-based approach for assessing risks associated with different virtual currency services, implementing measures to mitigate risks, and addressing the challenges anonymizing features can present to anti-money laundering/countering the financing of terrorism sanctions obligations. “[M]ixers should in general be considered as high-risk by virtual currency firms, which should only process transactions if they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds,” Treasury said.
FTC charges healthcare company with fraud
On August 8, the FTC announced it has taken action against a healthcare company, two subsidiaries, and the former CEO and former vice president of sales (collectively, “defendants”) for allegedly misleading consumers about their health insurance plans and using deceptive lead generation websites. According to the complaint, the defendants, along with their third-party partners, allegedly engaged in deceptive sales practices in violation of the FTC Act, the Telemarketing Sales Rule, and the Restore Online Shoppers Confidence Act (ROSCA). These practices included allegedly (i) lying to consumers about the nature of their healthcare plans; (ii) bundling and charging junk fees for unwanted products that were typically not clearly disclosed (consumers were often charged for these additional products after they cancelled their core healthcare plans); and (iii) making it difficult for consumers to cancel their plans. The FTC further alleged that the company (which sells association memberships and other healthcare-related products to consumers, often through telemarketing companies and lead generators), as well as the former CEO and former vice president of sales, were aware of the agents’ misconduct but allegedly “took steps to disguise and further the deception” instead of stopping the deceptive practices.
The FTC stated that the company and two of its subsidiaries have agreed to a proposed court order, which requires the payment of $100 million in consumer redress. The proposed order also requires the company to contact current customers and allow them to cancel their enrollment. The company is also required to send refunds to consumers who cancel right after their order is entered. Additionally, the proposed order prohibits the company from misleading consumers about their products, requires the disclosure of total costs and limitations prior to purchase, and requires consumers to provide express informed consent before they are billed. The company must also provide a simple and easy-to-use cancellation method and closely monitor other companies that sell its products.
The FTC also filed separate proposed court orders against the individual defendants (see here and here), which impose similar prohibitions and permanently bans them from playing any role in the sale or marketing of any healthcare-related product or service. The proposed orders also prohibit the former CEO from engaging in deceptive or abusive telemarketing practices, and bans the former vice president of sales from participating in any telemarketing whatsoever in the future.
3rd Circuit adopts new “reasonable reader” standard for evaluating accuracy of credit reports
On August 8, the U.S. Court of Appeals for the Third Circuit issued an opinion in a matter consolidated on appeal concerning claims of alleged violations of the FCRA brought by several student loan borrowers. According to the opinion, each of the three borrowers defaulted on their student loan payments. The original lenders closed the accounts and transferred the loans to other lenders after the borrowers were more than 120 days late in their payments. The borrowers claimed that a “pay status” notation included in each of their credit reports, which read “Account 120 Days Past Due Date,” was inaccurate and could create the misleading impression that the borrowers were currently four months behind on payments when they did not owe a balance to the previous creditors. The consumer reporting agency (CRA) responsible for the credit reports at issue countered that the notations accurately reflected the historical status of the closed accounts. The borrowers appealed, arguing that the district court misapplied the “reasonable creditor” standard and that the credit reports did not meet the FCRA’s “maximum possible accuracy” requirement.
On appeal, the 3rd Circuit agreed with the CRA’s interpretation, holding that the credit reports “contain multiple conspicuous statements reflecting that the accounts are closed and Appellants have no financial obligations to their previous creditors.” As such, “[t]hese statements are not in conflict with the Pay Status notations, because a reasonable interpretation of the reports in their entirety is that the pay status of a closed account is historical information,” the appellate court wrote. However, while the 3rd Circuit affirmed previous rulings dismissing the cases issued by the U.S. District Court for the Eastern District of Pennsylvania, it concluded that the “reasonable creditor” standard that the district court applied did not accurately reflect how the FCRA contemplates a range of permissible users, such as employers, investors, and insurers, and not just creditors. To account for this, the 3rd Circuit adopted a new standard for evaluating whether credit reports are inaccurate or misleading when read in their entirety by a “reasonable reader,” and applied that test in its precedential opinion. “A court applying the reasonable reader standard to determine the accuracy of an entry in a report must make such a determination by reading the entry not in isolation, but rather by reading the report in its entirety,” the appellate court said.