Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC sues national retailer for allegedly facilitating money transfer fraud

    Federal Issues

    On June 28, the FTC filed a complaint against a national retailer for allegedly allowing its money-transfer services to facilitate fraud. The complaint alleges the retailer knew about the role money transfer services play in scams but failed to properly secure the services offered at its stores, thus allowing money to be sent to “domestic and international fraud rings.” According to the FTC, at least 226,679 complaints totaling more than $197 million were received by several money transfer services companies about fraud-induced money transfers that were sent from or received at one of the retailer’s stores between January 1, 2013 and December 31, 2018. An investigation by the FTC purportedly revealed that the retailer’s practices allegedly harmed consumers by, among other things, (i) allowing the payout of suspicious money transfers, which allowed scammers to retrieve fraud proceeds at one of the retailer’s stores; (ii) failing to have in place a written anti-fraud policy or consumer protection program until November 2014; (iii) allowing cash pickups for large payments, often through the use of fake IDs; (iv) failing to display or provide materials warning consumers about potential frauds; (v) failing to effectively train or retrain employees; and (vi) allowing money transfers to be used for telemarketing purchases, which are prohibited under the Telemarketing Sales Rule (TSR) due to the high risk of fraud.

    According to the complaint, the retailer “is well aware that telemarketing and other mass marketing frauds, such as ‘grandparent’ scams, lottery scams, and government agent impersonator scams, induce people to use [the retailer’s] money transfer services to send money to domestic and international fraud rings. Nevertheless, [the retailer] has continued processing fraud-induced money transfers at its stores—funding telemarketing and other scams—without adopting policies and practices that effectively detect and prevent these transfers.”

    The complaint seeks a permanent injunction, monetary relief, civil penalties, restitution, and other relief for each violation of the FTC Act and the TSR. The FTC also requests the “rescission or reformation of contracts, the refund of money, the return of property, the payment of damages, public notification, or other relief necessary to redress injury to consumers damages.”

    The retailer issued a press release following the FTC’s announcement, stating that it considers the agency’s claims to be “misguided and legally flawed,” and that the civil lawsuit “was approved by the FTC by the narrowest of margins after Chair Lina Khan refused [the retailer] the due process of hearing directly from the company.” The retailer noted that the FTC’s decision comes after DOJ declined to pursue the case in court. Among other thing, the retailer contended that because it maintains robust anti-fraud measures there is no need for injunctive relief requiring the retailer to change its practices. The retailer pointed to the U.S. Supreme Court’s ruling in AMG Capital Management LLC v. FTC, which limited the FTC’s ability to obtain monetary relief in federal court (covered by InfoBytes here), to argue that the FTC “pivoted their focus in this case after AMG to a distorted interpretation of the TSR to effectively try and hold [the retailer] strictly liable for money transfers that third-party criminals reportedly persuaded some consumers to send.” The retailer added that “[s]witching their main legal theory to the TSR is an obvious attempt to get around the Supreme Court’s ruling in AMG.”

    Federal Issues FTC Enforcement FTC Act Telemarketing Sales Rule Money Service / Money Transmitters Fraud

    Share page with AddThis
  • NYDFS imposes $5 million fine against cruise line for cybersecurity violations

    Privacy, Cyber Risk & Data Security

    On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

    The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

    Share page with AddThis
  • FDIC releases May enforcement actions

    On June 24, the FDIC released a list of 14 public enforcement actions taken against banks and individuals in May. These orders consist of “two consent orders, one modification of an 8(e) prohibition order, three orders to pay civil money penalty, three orders of prohibition, two section 19 orders, and one order of prohibition from further participation and order to pay, one order terminating amended supervisory prompt corrective action directive, and one order of termination of insurance.” Included is an order to pay a civil money penalty imposed against a Texas-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed “to obtain flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone, including multiple structures,” and failed “to force-place flood insurance, after loan origination, when the insurance on buildings securing the loan” was insufficient or nonexistent. The order assessed a $2,000 civil money penalty.

    The FDIC also issued a consent order against a Utah-based bank based on alleged unsafe or unsound banking practices relating to the Bank Secrecy Act. The bank neither admitted nor denied the alleged violations but agreed to, among other things, “increase its oversight of the Bank's compliance with the BSA” and “conduct a comprehensive assessment of BSA/AML staffing needs.”

    Bank Regulatory Federal Issues FDIC Flood Insurance Flood Disaster Protection Act Bank Secrecy Act Anti-Money Laundering Enforcement

    Share page with AddThis
  • FTC, Florida file complaint against grant funding operation

    Federal Issues

    On June 27, the FTC and the Florida attorney general filed a complaint against a Florida-based grant funding company and its owner (collectively, “defendants”) alleging that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act. According to the complaint, the defendants deceptively marketed grant writing and consulting services to minority-owned small businesses by, among other things, (i) promising grant funding that did not exist and/or was never awarded; (ii) misleading customers about the status of grant awards; and (iii) failing to honor a “money-back guarantee” and suppressing customer complaints. The complaint also alleged that the owner relied on funds that she acquired through the federal Paycheck Protection Program Covid-19 stimulus program to start the company. The U.S. District Court for the Middle District of Florida issued a restraining order with asset freeze, appointment of a temporary receiver, and other equitable relief order against the defendants, which also prohibits them from engaging in grant funding business activities.

    Federal Issues State Issues FTC Enforcement State Attorney General Florida Covid-19 FTC Act Deceptive UDAP

    Share page with AddThis
  • FTC finalizes action against e-commerce platform for data breach cover up

    Federal Issues

    On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.

    Federal Issues Privacy/Cyber Risk & Data Security FTC Enforcement Data Breach FTC Act Deceptive UDAP

    Share page with AddThis
  • Fed announces enforcement actions against Minnesota and Arkansas state banks

    On June 21, the Federal Reserve Board released civil penalty orders against two state banks, both relating to alleged violations of the National Flood Insurance Act (NFIA) and its implementing regulation, Regulation H. The first civil penalty order, against a Minnesota-based bank, assessed a $4,950 penalty for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The second civil penalty order, against an Arkansas-based bank, assessed a $13,950 penalty for an alleged pattern or practice of violations of Regulation H without specifying the number or precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.

    Bank Regulatory Federal Reserve Flood Insurance Enforcement National Flood Insurance Act Regulation H

    Share page with AddThis
  • States reach $1.25 million data breach settlement with cruise line

    State Issues

    On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”

    Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.

    State Issues Enforcement State Attorney General Data Breach Settlement Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Special Alert: DOJ settles claims of algorithmic bias

    Federal Issues

    On June 21,  the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.

    Federal Issues DOJ Special Alerts Fair Housing Act Algorithms Advertisement Enforcement Settlement Disparate Impact Discrimination

    Share page with AddThis
  • SEC settles allegations regarding robo-adviser service

    Securities

    On June 13, the SEC announced a settlement with three subsidiaries of a financial services holding company (collectively, “respondents”) regarding their robo-adviser service. The order, which the respondents consented to without admitting or denying the findings, imposes a civil money penalty of $135 million and a total of $52 million in disgorgement. The order also provides that the respondents must cease and desist from committing or causing any future violations of the antifraud provisions in the Investment Advisers Act.

    Securities Enforcement Cease and Desist Investment Advisers Act Robo-Advisor Service

    Share page with AddThis
  • District Court issues judgment against student debt relief operation

    Courts

    On June 10, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief operation. As previously covered by InfoBytes, in 2019, the Bureau, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015, the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by, among other things, misrepresenting: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments.

    Under the terms of the final judgment, in addition to various forms of injunctive relief, the individual defendant must pay a $1 civil money penalty to the Bureau and $5,000 each to Minnesota, North Carolina, and California. The individual defendant is also “liable, jointly and severally, in the amount of $95,057,757, for the purpose of providing redress to Affected Consumers,” although his obligation to pay this amount is “suspended based on [his] inability to pay.”

    Courts CFPB Enforcement Consumer Finance Settlement Debt Relief TSR CFPA FDCPA State Issues State Attorney General

    Share page with AddThis

Pages