InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ’s Covid-19 Fraud Enforcement reports ongoing civil fraud and consumer protection actions
On April 9, the DOJ released a report on Covid-19 fraud, organizing various federal enforcement agencies and inspectors general, as well as state strike forces, in their collective pursuits against civil fraud on financial remedies under Covid-19. The Department’s COVID-19 Fraud Enforcement Task Force (CFETF) reported over 400 settlements and judgments and seized over $1.4 billion in fraudulently obtained CARES Act funds.
The report noted that the Civil Fraud Section continues to investigate fraudulent claims under the False Claims Act (FCA) and FIRREA, including with respect to grant recipients, PPE procurement, and payment advances. As two notable examples, a Florida management company paid $9 million for knowingly violating the FCA to obtain PPP loan forgiveness, and a New Jersey public relations firm paid $2.24 million for similar violations where it was found ineligible for the loan since it was registered under the Foreign Agent Registration Act. The DOJ also acted against purveyors of faulty PPE, individuals who tampered with Covid-19 vaccines, and those who sold fraudulent covid products online––filing under the COVID-19 Consumer Protection Act. The DOJ touted its $1 million judgment against a company that marketed vitamins that allegedly protected against Covid-19. Further, the National Unemployment Insurance Fraud Tax Force found hundreds of pandemic fraud leads and has seized over $3.3 billion in suspected pandemic fraud.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produce products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing would be automated typically. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
Arizona enacts new money transmission requirements for licensees
On April 8, the Governor of Arizona signed into law SB 1034 which will amend money transmission requirements for licensees. The new law will require a licensee, before transmitting any money (either in person or electronically), to provide consumer fraud warnings on the associated risks and dangers, instructions on how to stop a money transmission (if that option is available), and a statement that the money not be returned after the transmission is completed. The law will not apply to (i) an electronic funds transfer to another person that is not available for immediate use, (ii) electronic funds transfers made with a gift certificate, and (iii) a licensee that can provide proof of presenting its employees an annual fraud prevention training that covers “the indicia of fraud associated” with electronic money transfers. The law will go into effect on July 7 (90 days after enactment).
Seventeen State Attorneys General comment on CFPB overdraft proposal
State Attorneys General from 17 states recently sent a letter to the CFPB endorsing its proposed rule to amend TILA. The 17 states included New York as principal, California, Colorado, Connecticut, Delaware, the District of Columbia, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, North Carolina, Oregon, Pennsylvania, and Washington. As previously covered by InfoBytes, the proposed amendments would treat overdraft credits as loans, which would make them subject to consumer protections.
The State AGs argued that the historical basis for excluding overdraft fees from TILA protections would be obsolete due to how the fees are assessed, the high fee amount, and the large number of overdraft transactions. The State AGs wrote that closing the loophole would protect consumers by providing customers with disclosures so they can better understand the cost and enable them to comparison shop. The State AGs supported a benchmark fee of $3, which is the lowest fee amount proposed by the CFPB, and argued that even a $6 fee would “undercount the volume of transactions generating a fee post-enactment” of the proposed rule. Finally, the State AGs urged the CFPB to extend the proposed rule to both “very large financial institutions” (those with more than $10 billion in assets) and small financial institutions.
Utah appellate court upholds ruling for defendant in FDCPA Case
Recently, the Utah Court of Appeals affirmed a lower court’s decision granting summary judgment in favor of a defendant debt collector in an FDCPA case. According to the court, defendant’s registration as a debt collection agency had lapsed in Utah when it sent the plaintiff a debt collection letter. Later, when still not registered as a collection agency, defendant served plaintiff with a collection complaint and filed it with the district court. Plaintiff did not contest the complaint, leading to defendant moving for a default judgment, which the district court granted in 2020. Thereafter, plaintiff filed suit against defendant for illegally pursuing the prior collection action, and summary judgment was entered against plaintiff.
On appeal, the court turned to a recent similar case that supported the lower court’s decision that a registration violation was not actionable under the Utah Consumer Sales Practices Act (UCSPA). Regarding plaintiff’s FDCPA claim, the court found that plaintiff did not argue for a different resolution under the FDCPA compared to the Utah Code. Plaintiff contended that since both statutes prohibited the same practices in debt collection, her FDCPA claim should also be valid under the UCSPA. However, as plaintiff did not preserve any argument distinguishing her FDCPA claim from her UCSPA claim, the court affirmed the dismissal of both the FDCPA and UCSPA claims.
Fed releases enforcement action against Wyoming-based bank holding company
On April 4, the Federal Reserve released an enforcement action against a Wyoming-based bank holding company as part of a September 2023 inspection that found alleged deficiencies related to the “fintech business strategy, board oversight, capital, earnings, liquidity, risk management, and compliance.” The consent order with the bank holding company requires the holding company to: (i) serve as a source of strength to its bank subsidiary; (ii) submit a written plan to strengthen board oversight, including a staffing assessment and succession plan; (iii) submit a written plan to strengthen its risk management program, including adopting written policies and procedures to manage compliance and fraud risks; (iv) submit an enhanced liquidity risk management program, a capital plan, and a written business plan to improve earnings; and (v) ensure compliance with regulations governing affiliate transactions. The consent order additionally placed limits on the holding company’s fintech activities and required the holding company to submit a wind-down plan for fintech-related business. According to the consent order, following the September 2023 inspection, the holding company had voluntarily stopped pursuing its fintech business strategy and had been winding down all related activities.
FDIC’s Gruenberg speaks on FDIC’s plans for economic inclusion
On April 4, Federal Deposit Insurance Corp. Chairman, Martin J. Gruenberg, delivered a speech on the FDIC’s economic inclusion strategy. The speech highlighted the FDIC’s commitment to economic inclusion, efforts to understand the size and characteristics of the unbanked market, and past FDIC economic inclusion efforts.
When Chairman Gruenberg highlighted previous FDIC inclusion efforts, he noted that the unbanked rate fell from 8.2 to 4.5 percent during the decade ending in 2021, with even steeper decreases for some minority populations. He also announced a new economic inclusion strategic plan to expand customers’ participation in the banking system and help households achieve greater financial security. The plan would intend to help customers build credit, including through small-dollar lending programs with affordable rates, and calls for specific steps to encourage bank lending and investments in low- and moderate-income neighborhoods.
CFPB Director speaks on new and proposed rules for “data brokers”
On April 2, the Director of the CFPB, Rohit Chopra, delivered a speech at the White House Office of Science and Technology Policy highlighting President Biden’s recent Executive Order (EO) to Protect Americans’ Sensitive Personal Data and how the CFPB will plan to develop rules to regulate “data brokers” under FCRA. As previously covered by InfoBytes, the President’s EO ordered several agencies, including the CFPB, to better protect Americans’ data. Chopra highlighted how the EO not only covered data breaches but also regulated “data brokers” that ingest and sell data. According to the EO, “Commercial data brokers… can sell [data] to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”
Consistent with the President’s EO, the CFPB will plan to propose rules this year that will regulate “data brokers,” as per its authority under FCRA. Specifically, the proposed rules would include data brokers within the definition of “consumer reporting agency”; further, a company’s sale of consumer payment or income data would be considered a “consumer report” subject to requirements, like accuracy, customer disputes, and other provisions prohibiting misuse of the data.
CFPB reports three findings on the relationship between discount points and interest rates
On April 5, the CFPB issued a report on the relationship between trends in discount points and interest rates. The report used HMDA data between Q1 of 2019 and Q3 of 2023 when interest rates were at “record-highs” and before the Federal Reserve announced its intention to lower interest rates. The CFPB found that (i) the majority of borrowers paid discount points, (ii) more borrowers paid discount points as interest rates increased, and (iii) borrowers with low credit scores were even more likely to pay discount points. Delving deeper into the data, 87 percent of borrowers with cash-out refinances paid discount points (up from 61 percent in 2021), and borrowers with cash-out refinance loans paid twice the number of discount points compared to other borrowers (with a median of 2.1 points per loan). Additionally, almost 77 percent of FHA borrowers with a credit score below 640 paid discount points compared to 65 percent of all FHA borrowers. Considering these trends, the CFPB will plan to monitor the use of discount points and weigh the advantages against the potential risks to borrowers.
District Court rules against CFPB on Prepaid Rule disclosure requirement
On March 28, the U.S. District Court for the District of Columbia (D.D.C.) ruled in favor of a fintech digital wallet provider by granting its motion for summary judgment, denying the CFPB’s cross-motion, and vacating the CFPB’s Prepaid Rule’s short-form disclosure requirements for digital wallets. The suit focused on the applicability of the Prepaid Rule’s short-form disclosure requirements to digital wallet products. The plaintiff sued the CFPB, arguing the CFPB’s Prepaid Rule was arbitrary and capricious because, unlike for general-purpose reloadable (GPR) products, the CFPB failed to provide a “well-founded, non-speculative reason for subjecting digital wallets” to the Prepaid Rule’s short-form disclosure regime.
The CFPB’s Prepaid Rule mandated that pre-acquisition fee disclosures, which were intended to apply to GPR cards, be required for digital wallets––i.e., digital wallet providers would be required to provide consumers with a pre-acquisition fee disclosure in a formatted “short form.” While the judge agreed that this makes sense as applied to GPR products, digital wallet products were fundamentally different from GPRs and were not primarily “used to access funds or to function as a substitute checking account.” While the CFPB’s Advanced Notice of Proposed Rulemaking, did not initially include digital wallets, in the final Prepaid Rule, the CFPB included digital wallets for three reasons: (1) the CFPB reasoned that the Prepaid Rule should apply to digital wallets since digital wallets can carry funds (just like GPRs), and the fee structure “may not hold true in the future”; (2) the CFPB argued that the Prepaid Rule filled a regulatory gap for digital wallets; and (3) the CFPB claimed it “cast a wide net” on purpose to avoid a “patchwork regime.”
In response, the plaintiff argued that the disclosure requirement was arbitrary and capricious due to the Bureau having no rational justification for including digital wallets in the Prepaid Rule. Further, it was arbitrary and capricious because the CFPB did not comply with its role under Dodd-Frank by assessing the costs and benefits of the Rule. Finally, the plaintiff argued that the short-form disclosure regime violated the First Amendment.
While declining to rule on First Amendment issues, the court held that the CFPB lacked a “rational justification” for subjecting digital wallets to the Prepaid Rule’s short-form disclosure requirement, agreeing that the CFPB’s requirement was arbitrary and capricious, and that it had no basis for including digital wallets because they were materially different products. The judge also found the CFPB’s cost-benefit analysis (as mandated by Dodd-Frank) was deficient, as the “general” cost-benefit analysis did not fit for digital wallets.