InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York requires private employers to provide electronic monitoring notice
On November 8, the New York governor signed S.2628, which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must receive acknowledgement from the employee either in writing or electronically and are also required to post the notice of electronic monitoring in a conspicuous area where it can be viewed by employees. The act applies to any individual, corporation, partnership, firm, or association with a place of business in New York, but does not include the state or political subdivisions of the state. Also exempt are processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” The attorney general is authorized to enforce the act and fine employers found to be in violation of the provisions. The act takes effect in 180 days.
DFPI issues fourth round of draft regulations for commercial financing disclosures
On November 5, the California Department of Financial Protection and Innovation (DFPI) issued a fourth draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. California released the first draft of the proposed regulations in July 2019, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released second and third rounds of modifications in August and October of this year (covered by InfoBytes here, here, here, and here). The fourth modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications amend the term “average monthly cost” to mean the average total amount paid by the recipient (for periodic and irregular payments) over a contract’s term divided by the number of months specified in the contract. Providers may divide the number of days in the contract term by 30.4 to determine the number of months in the contract term. This calculation may also be used to determine the “estimated monthly cost.” Comments on the fourth modifications must be received by November 22.
Kansas AG fines companies for unlawful data disposal
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.
California AG takes action against casino for AML violations
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.
District Court grants preliminary approval in BIPA settlement
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiff filed the proposed class action in 2019, alleging the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by collecting thousands of fingerprints through a finger-scanning donor identification system without providing proper disclosures or obtaining informed written consent. The plaintiff further alleged that the defendant required her (and thousands of Illinois blood plasma donors) to provide a fingerprint to donate plasma, which was later used for identification on subsequent visits. The plaintiff alleged that by not requiring her informed consent and by disclosing her information to a third party, the defendant’s practice violated BIPA. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 76,826 Illinois blood plasma donors who were required to scan their finger at the defendant’s Illinois facilities prior to donating plasma. The settlement would provide payouts of approximately $400 to $800 per class member, assuming a claims rate of 10 percent to 20 percent, and permit class counsel to file for up to 35 percent of the settlement fund for attorney fees.
11th Circuit lifts a receivership and asset freeze of $85 million
On November 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed in part and vacated in part a district court’s order, finding that portions of the district court’s decision could not stand under the U.S. Supreme Court’s April ruling in AMG Capital Management v. FTC. The Court held in that case that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” (Covered by InfoBytes here). According to the 11th Circuit’s opinion, in 2019, the FTC alleged that individuals associated with multiple limited liability companies engaged in unfair or deceptive business practices in violation of 15 U.S.C. § 45(a). The FTC also filed a motion for a temporary restraining order the same day against the corporate defendants, seeking to freeze their assets, place the entities into a receivership, and enjoin all the parties from materially misrepresenting their services or from releasing consumer information obtained through the limited liability company. The district court granted the motion for a temporary restraining order in full in December 2019, and in January 2020, the district court granted a preliminary injunction against the limited liability company, extending the asset freeze, receivership, and injunction for the duration of the lawsuit.
On appeal, the 11th Circuit affirmed those parts of the preliminary injunction enjoining the appellants from misrepresenting their services and releasing consumer information. The panel upheld the portion of the order that enjoined one of the investor entities and its principal, who was the former chairman of the corporate defendant’s board, from misrepresenting services on allegedly deceptive websites or releasing any customer information allegedly gathered through the websites. While the appeal was pending, however, the Court held in AMG Capital Management that 15 U.S.C. § 53(b) does not allow an award of “equitable monetary relief such as restitution or disgorgement,” leading the 11th Circuit to reverse the asset freeze and receivership aspects of the preliminary injunction. Additionally, the 11th Circuit noted that the principal from one of the entities “was individually responsible for the actions of [the corporate defendants],” and “likely knew that [the corporate defendants] made over eighty million dollars in two years selling 'guides' on government services, and it almost beggars belief that he would be completely unaware of how [the corporate defendants’] websites were raising that quantity of money.”
District Court grants SEC motion for default judgment
On November 2, the U.S. District Court for the Middle District of Georgia granted the SEC’s motion for default judgement in its suit accusing a Georgia-based investment firm and three of its officers of defrauding investors out of approximately $3 million. In July, the SEC filed a complaint against the defendants for allegedly defrauding investors through a prime bank scheme by falsely promising that their funds would remain in a purported escrow account and earn lucrative returns without any risk of loss, which violated the antifraud provisions of Section 17(a) of the Securities Act of 1933 and Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. In its memorandum of law in support of its motion for default judgment, the SEC alleged that none of the defendants filed answers or responsive pleadings with the district court and had “engaged in egregious misconduct, acted with scienter, failed to admit their wrongdoing, were thoroughly dishonest with authorities, and have not demonstrated their financial means.” The district court granted the motion, approved permanent injunctions barring the defendants from committing future violations of securities laws, and required the defendants to return the investors' money with interest, in addition to the profits obtained through the alleged scheme. According to the order, the defendants are required to pay approximately $2.7 million total in disgorgement, exclusive of prejudgment interest, and pay a civil penalty of approximately $192,000.
CFPB seeks comments on recent orders to U.S. tech companies
On November 5, the CFPB published a notice in the Federal Register seeking public comments on recently issued orders to six large U.S. technology companies requesting information and data on their payment system business practices (covered by InfoBytes here). According to the notice, the Bureau invites comments from “any interested parties, including consumers, small businesses, advocates, financial institutions, investors, and experts in privacy, technology, and national security.” The notice is “one of many efforts within the Federal Reserve System to plan for the future of realtime payments and to ensure a fair and competitive payments system in our country.” Comments are due by December 6.
House subcommittee holds hearing on cybersecurity
On November 3, the House Financial Services Subcommittee on Consumer Protection and Financial Institutions held a hearing titled “Cyber Threats, Consumer Data, and the Financial System.” The hearing examined cybersecurity and consumer data protection challenges for financial institutions, discussed agencies efforts to strengthen cyber defenses for financial institutions, and reviewed the current legal framework governing data security. According to a committee memorandum, cyberattacks on banks are increasing in number. In the first half of 2021, banks and credit unions saw a 1,318 percent increase in ransomware attacks. In written testimony, one of the witnesses expressed his concern regarding the technological disparity between minority depository institutions (MDI) and large banks, observing that “cultural shifts inside the financial services industry, including the core processors and regulators, are necessary to help MDIs better orient themselves to meet new customer demands.” Another witness discussed in his written testimony support for the NCUA to obtain data security and privacy authority over third-party vendors, which is an authority currently given to other federal agencies. Among other things, the hearing addressed several bills on cybersecurity and consumer protection: (i) Safeguarding Non-bank Consumer Information Act; (ii) Strengthening Cybersecurity for the Financial Sector; and (iii) Enhancing Cybersecurity of Nationwide Consumer Reporting Agencies Act. Specifically, one of the witnesses in his written testimony recommended that Congress revise the definition of “data aggregators” in the Safeguarding Non-bank Consumer Information Act to ensure that it covers non-financial institution entities and individuals.
CFPB deputy director discusses future rulemaking research efforts
On November 5, CFPB Deputy Director Zixta Martinez spoke before the Bureau’s Academic Research Council (ARC) meeting, in which she discussed recent research efforts taken to inform future rulemaking and identify root causes of challenges facing consumers. Martinez highlighted Section 1022 orders recently sent to several big tech payment platforms seeking information on their products, plans, and practices (covered by InfoBytes here). She noted that the evaluation of these companies’ payments platform data will help inform the Bureau on the future of the payments system as well as potential emerging risks, and will provide insights that may impact future rulemaking under Section 1033 concerning the disclosure of consumer data by regulated entities. Among other things, Martinez also discussed the importance of small business lending research to better understand whether these businesses provide fair and equitable access to credit and referred to the Bureau’s Section 1071 notice of proposed rulemaking issued in September (covered by a Buckley Special Alert). Martinez also noted that one of the Bureau’s priorities is ensuring access to fair and affordable credit for low-income, minority, or traditionally underserved communities, and said the Office of Research will solicit “suggestions and advice for ways to integrate racial and economic equity analyses into the CFPB’s research agenda.”