InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pennsylvania reaches $11 million settlement with rent-to-own company
On May 15, the Pennsylvania attorney general announced a $11.4 million settlement with a rent-to-own lender and its subsidiaries accused of engaging in predatory practices targeting low-income borrowers and employing deceptive collection practices. According to the AG, the lender disguised one-year rent-to-own agreements as “100-Day Cash Payoffs” and then concealed the balances owed. The AG maintained that consumers were locked into binding 12-month agreements that included high leasing fees (equal to 152 percent APR interest). The AG explained that consumers entitled to restitution and relief “had already satisfied the cash price, the sales tax on the cash price, and the processing fees associated with their purchase – yet still owed [the lender] a balance.” Additionally, the AG accused the lender of using a web-based portal for creating and signing contracts, which made it easy for persons other than the consumer to sign the agreements.
The order requires the lender to pay $7.3 million in restitution that will be distributed to affected consumers, $200,000 in civil penalties, and $750,000 in costs to be paid to the AG to be used for public protection and education purposes. Additionally, the lender is required to reduce the balances of delinquent lease-to-own accounts for certain rental purchase agreements, resulting in a $3.15 million aggregate reduction in balances. The lender has also agreed to, among other things, not represent or imply that failure to pay a debt owed or alleged to be owed “will result in the seizure, attachment or sale of any property that is the subject of the debt unless such action is lawful” or that the lender’s subsidiary intends to take such actions. The lender is also prohibited from collecting any amount, including interest, fees, charges, or expenses incidental to the principal obligation, unless the amount is expressly authorized by the agreement creating the obligation or permitted by law. Furthermore, the lender’s subsidiaries must clearly and conspicuously disclose customer balances during servicing calls and through a customer portal.
IOSCO urges global harmonization of crypto oversight
Earlier this month, the International Organization of Securities Commissions (IOSCO) released draft policy recommendations to support greater regulatory and oversight consistency within the crypto and digital assets markets. According to the global securities watchdog, regulators must strive for consistency in their oversight of crypto-asset activities given the cross-border nature of these markets and the varying approaches taken by individual jurisdictions. Seeking to optimize consistency in the way crypto-asset and securities markets are regulated, the IOSCO advised regulators to enhance cooperation efforts and attempt “to achieve regulatory outcomes for investor protection and market integrity that are the same as, or consistent with, those required in traditional financial markets in order to facilitate a level-playing field between crypto-assets and traditional financial markets and help reduce the risk of regulatory arbitrage.” Encouraging regulators to engage in rulemaking and information sharing, the IOSCO presented a comprehensive strategy for harmonizing the oversight of crypto companies, including standards on conflicts of interest and governance, fraud and market abuse, cross-border cooperation, custody of client monies and assets, and operational and technological risks. The IOSCO also suggested measures for reducing money laundering risks, explaining that crypto assets may be more appealing to criminals who want to avoid traditional financial system oversight. The IOSCO noted that its goal is to finalize its policy recommendations in early Q4 2023. Comments will be received through July 31.
CFPB announces $9 million settlement with bank on credit card servicing
On May 23, the CFPB announced a settlement to resolve allegations that a national bank violated TILA and its implementing Regulation Z, along with the Consumer Financial Protection Act. The Bureau sued the bank in 2020 (covered by InfoBytes here) claiming that, among other things, when servicing credit card accounts, the bank did not properly manage consumer billing disputes for unauthorized card use and billing errors, and did not properly credit refunds to consumer accounts resulting from such disputes. At the time, the bank issued a response stating that it self-identified the issues to the Bureau five years ago while simultaneously correcting any flawed processes.
The bank neither admitted nor denied the allegations but agreed under the terms of the stipulated final judgment and order filed in the U.S. District Court for the District of Rhode Island to pay a $9 million civil penalty. In addition to amending its credit card practices, the bank is prohibited from automatically denying billing error notices and claims of unauthorized use of cards should the customer fail to provide a fraud affidavit signed under penalty of perjury. The bank must also (i) credit reimbursable fees and finance charges to a customer’s account when unauthorized use and billing errors occur; (ii) provide required acknowledgement and denial notices to customers upon receipt or resolution of billion error notices; and (iii) provide customers who call its credit counseling hotline with at least three credit counseling referrals within the caller’s state. The bank must also maintain procedures to ensure customers are properly refunded any fees or finance charges identified by valid error notices and unauthorized use claims. The bank issued a statement following the announcement saying that while it “continues to disagree with the CFPB’s stance with respect to these long-resolved issues, which were self-identified and voluntarily addressed years ago,” it is pleased to resolve the matter.
SEC fines Dutch medical supplier $62 million to settle FCPA charges
The SEC recently announced that a global Dutch manufacturer of health technology products agreed to pay more than $62 million to settle claims that it allegedly violated the FCPA with respect to the sale of medical diagnostic equipment in China. According to the SEC’s order, between 2014 and 2019, the manufacturer’s agents in China “engaged in improper conduct to influence foreign officials in connection with tender specifications in certain public tenders to increase the likelihood that [the manufacturer’s] products were selected.” Certain agents also allegedly engaged in a variety of improper bidding practices that unjustly enriched the manufacturer by $41 million. Special pricing discounts were given to distributors, which created a corruption risk that the increased distributor margins could be used to fund improper payments to government-owned hospital employees, the SEC claimed. During this time, the SEC found that the manufacturer lacked sufficient internal accounting controls to prevent and detect the conduct, and allegedly failed “to provide reasonable assurances” that transactions were accurately recorded in the Chinese agents’ books and records, which were consolidated into the manufacturer’s books and records.
The SEC stated that the manufacturer was previously charged with similar misconduct in Poland between 1999 and 2007, and that despite taking remedial efforts, the manufacturer failed to implement sufficient internal accounting controls relating to its sales of health technology products in China. The manufacturer consented to the SEC’s order without admitting or denying allegations that it violated the books and records and internal accounting control provisions of the Securities Exchange Act and agreed to pay $15 million in civil penalties and more than $47 million in disgorgement and prejudgment interest. The SEC recognized the company’s cooperation and remedial efforts.
OFAC reaches $3.3 million settlement with cosmetics company for Iranian sanctions violations
The U.S Treasury Department’s Office of Foreign Assets Control (OFAC) recently announced settlements with a California-based cosmetics company and a former senior company executive to resolve potential civil liability stemming from allegations that the company participated in a conspiracy to export goods and services from the United States to Iran over roughly an eight-year period. According to OFAC’s web notice, the company entered into an exclusive agreement with an Iranian distributor to sell products in the Middle East, specifically in Iran, without ever receiving a specific license or other applicable OFAC guidance to do so. OFAC maintained that these exported products (for which the company requested a license), were neither generally authorized nor exempt from prohibition. During a later acquisition, the company again applied for, but did not receive, a specific license to export products to Iran. The company knew that an OFAC license was required to lawfully export the products to Iran but continued to do so through departments generally overseen by the former senior company executive, OFAC said, adding that prior to the acquisition, the company did not disclosure the exports or its involvement with Iran, nor was this conduct discovered during pre-acquisition due diligence. By conspiring to export approximately $11.1 million worth of goods to Iran over approximately eight years, the company allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC considered, among other things, that the company willfully violated U.S. sanctions by exporting its products and services to Iran, despite having knowledge that such conduct was prohibited, and that senior company officials had actual knowledge of the alleged misconduct. The $3.3 million settlement (of which the former senior company executive is responsible for $175,000) reflects that while the company voluntarily self-disclosed the apparent violations, the violations constitute an egregious case. OFAC also considered several mitigating factors, including that: (i) the company has undertaking remedial measures to prevent future misconduct; (ii) the overall percentage represented by its sales to Iran is small; (iii) the company has not received a penalty notice from OFAC in the preceding five years; (iv) the company cooperated with OFAC during the investigation and agreed to toll the statute of limitations; and (v) the former senior company executive’s violations involved the export of benign consumer goods.
Providing context for the settlement, OFAC said, among other things, that the “case highlights that U.S. sanctions on Iran encompass a wide range of potentially violative conduct, including the formation and execution of conspiracies to engage in prohibited activities such as exporting goods to Iran and causing such exports to occur.” OFAC reminded businesses that “placement of a U.S. entity under the compliance structure of a non-U.S. entity that may lack sufficient familiarity with U.S. sanctions laws could prevent the prompt identification of and response to potentially prohibited conduct.”
U.S. and EU enter bilateral sanctions partnership
On May 16, the United States and the European Union entered into a bilateral partnership to strengthen working relationships and share sanctions expertise to address foreign policy goals. The U.S.-EU partnership’s foundation is premised on a collaborative approach for financial sanctions, in which the U.S. Treasury Department’s Office of Foreign Assets Control, the European External Action Service, and the European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union will continue to work closely with partners around the world to ensure financial sanctions are fully contributing to member countries’ policy goals. Emphasizing that “[s]anctions are most effective when coordinated with a broad range of international partners who can magnify the economic and political impact,” Treasury stressed the importance of multilateral implementation to maximize the effectiveness of sanctions while minimizing unintended costs and compliance burdens.
Montana becomes the ninth state to enact comprehensive privacy legislation
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:
- Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
- Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.
The CDPA takes effect October 1, 2024.
Georgia enacts commercial financing disclosure requirements
On May 1, the Georgia governor signed SB 90 to, among other things, require disclosures in connection with commercial financing transactions of $500,000 or less. The amendments modify the existing state Fair Business Practices Act and apply to “commercial loans” and “commercial open-end credit plans.” The amendments define a “provider” as “a person who consummates more than five commercial financing transactions in this state during any calendar year and includes, but is not limited to, a person who, under a written agreement with a depository institution, offers one or more commercial financing products provided by the depository institution via an online platform that the person administers.” The amendments also establish parameters for qualifying commercial transactions and outline numerous exemptions. Specifically, prior to consummating a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the amendments, and (ii) include a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary. The provisions apply to any commercial financing transaction consummated on or after January 1, 2024. The amendments also address unfair or deceptive practices relating to brokerage engagements and is effective January 1, 2024.
Crypto company settles NY AG’s hidden-fee claims
On May 18, the New York attorney general announced a settlement with a Brooklyn-based cryptocurrency company to resolve claims that it charged investors “exorbitant and undisclosed fees” to store cryptocurrency in an account that was advertised as being free on its website. The fees charged to investors to use its wallet storage were allegedly so high that they completely cleaned out investors’ accounts, the AG said. The company agreed to the AG’s findings that it regularly charged and increased fees without properly notifying investors. According to the AG’s investigation, the company changed the wallet storage fee structure four times without clearly disclosing the fee increase, which led to some investors being charged fees equal to 96 percent of the value of their account holdings. In total, the company took approximately $4.25 million from investors. The AG maintained that the company also failed to register as a commodity broker dealer in the state for a period of time, and that while it was eventually granted a virtual currency license pursuant to 23 NYCRR Part 200, it failed to file a registration statement. Under the terms of the assurance of discontinuance, the company is required to pay $508,910 in restitution to the state and provide full restitution to all investors who were misled. The company is also required to provide monthly refund status updates to the AG, limit the amount of fees charged for using its wallet service to 0.002 percent per cryptocurrency per month for at least five years, and ensure that it adequately discloses all fees to investors.
Default judgment entered against provider of immigration bonds
The U.S. District Court for the Western District of Virginia recently entered default judgment against defendants accused of misrepresenting the cost of immigration bond services and deceiving migrants to keep them paying monthly fees by making false threats of deportation for failure to pay. As previously covered by InfoBytes, the defendants—a group of companies providing immigration bond products or services for non-English speaking U.S. Immigration and Customs Enforcement detainees—were sued by the CFPB and state attorneys general from Massachusetts, New York, and Virginia in 2021 for allegedly engaging in deceptive and abusive acts and practices in violation of the Consumer Financial Protection Act (CFPA). The defendants argued that the court lacked subject matter jurisdiction because the Bureau did not have authority to enforce the CFPA since the defendants are regulated by state insurance regulators and are merchants, retailors, or sellers of nonfinancial goods or services. However, the court disagreed, explaining that “limitations on the CFPB’s regulatory authority do not equate to limitations on this court’s jurisdiction.” (Covered by InfoBytes here.)
As explained in the court’s opinion, last year the plaintiffs filed a motion for sanctions and for an order to show cause why the court should not hold the defendants in contempt for actions relating to several ongoing discovery disputes. The court determined that the defendants failed to demonstrate that “factors other than obduracy and willfulness” led to their failure to comply with multiple discovery orders and that the defendants engaged in a “pattern of knowing noncompliance with numerous orders of the court.” These delays, the court said, have significantly harmed the plaintiffs in their ability to prepare their case. Finding each defendant in civil contempt of court, the court also entered a default judgment against the defendants, citing them for discovery violations in other cases. The court set June deadlines for briefs on remedies and damages.