Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Law firm ordered to produce cyberattack report in malpractice action


    On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected work product nor attorney-client privileged. According to the order, as part of a malpractice action in which the plaintiff, a Chinese entrepreneur, accused the law firm of failing to protect his personal information from hackers, the plaintiff moved to compel the production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [plaintiff]’s confidential information.” The law firm opposed the motion, arguing that it already had turned over all relevant internally generated materials and any other documents were protected by attorney-client and work-product privileges. The law firm argued that the forensic report was only one half of a two-tracked investigation of the incident.  On one track, the law firm’s usual cybersecurity vendor worked to investigate the attack to preserve business continuity while on a separate track, a different consultant was retained by counsel for the sole purpose of assisting the law firm in gathering information necessary to render legal advice. 

    The district court disagreed, concluding that the report is not covered by work-product privilege because the law firm failed to show that the report “‘would [not] have been created in the ordinary course of business irrespective of litigation.’” The court noted that the forensic report summarizes the findings of the investigation and that substantially the same document would have been prepared in any event as part of the ordinary course of the law firm’s business.  While seeming to endorse the idea of a two-track investigation, the court noted that the law firm failed to provide any evidence that supported the fact that there were actually two tracks. Among other things, the court noted that the report summarizes findings into the data breach’s “cause, nature, and effect” and was used “for a range of non-litigation purposes,” including being shared with members of the law firm’s leadership and IT team and the FBI. In addition, the court noted that there was no evidence that the law firm’s usual cybersecurity vendor produced any findings, let alone a comprehensive report about the incident. Instead, the court stated that the record suggested that two days after the cyberattack began, the law firm turned to this second consulting firm instead of rather than in addition to the first consulting firm. Moreover, the court rejected the application of attorney-client privilege, concluding that the law firm’s “true objective was gleaning [the security-consulting firm]’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’” The court noted that the report included remediation advice, indicating the security firm was “engaged for immediate ‘incident response.’” Lastly, the court noted the law firm can safely respond to the plaintiff’s interrogatories calling for information regarding other clients impacted by the cyberattack with “appropriate redactions in responsive documents” and “tailored” answers.

    Courts Privacy/Cyber Risk & Data Security Data Breach Attorney-Client Privilege Work-Product Privilege

    Share page with AddThis
  • OCC urges court to uphold valid-when-made rule


    On January 14, the OCC moved for summary judgment in an action filed by the California, Illinois, and New York attorneys general (collectively, “states”) challenging the OCC’s valid-when-made rule, arguing that the challenge is without merit and that the agency “reasonably interprets the ‘gap’ in [12 U.S.C. § 85] concerning what happens when a national bank sells, assigns, or transfers a loan.” As previously covered by InfoBytes, the OCC’s final rule was designed to effectively reverse the Second Circuit’s 2015 Madden v. Midland Funding decision and provides that “[i]nterest on a loan that is permissible under [12 U.S.C. § 85 for national bank or 12 U.S.C. § 1463(g)(1) for federal thrifts] shall not be affected by the sale, assignment, or other transfer of the loan.” The states challenged the rule, arguing that it is “contrary to the plain language” of section 85 (and section 1463(g)(1)) and “contravenes the judgment of Congress,” which declined to extend preemption to non-banks. Moreover, the states contend that the OCC “failed to give meaningful consideration” to the commentary received regarding the rule, essentially enabling “‘rent-a-bank’ schemes.” 

    In response, the OCC argued that not only does the final rule reasonably interpret the “gap” in section 85, it is consistent with section 85’s “purpose of facilitating national banks’ ability to operate their nationwide lending programs.” Moreover, the agency asserts that 12 U.S.C. § 25b’s preemption standards do not apply to the final rule, because, among other things, the OCC “has not concluded that a state consumer financial law is being preempted.” The final rule “addresses only the ‘substantive [ ] meaning’ of § 85” and Congress “expressly exempted OCC’s interpretations of § 85 from § 25b’s requirements.” Lastly, the OCC argued that it made an “informed and reasoned decision,” including addressing issues raised during the public comment period. Thus, the court should uphold the final rule and affirm summary judgment for the agency.

    Courts State Issues State Attorney General OCC Madden Fintech Interest Rate New York California Illinois Preemption

    Share page with AddThis
  • Online lender settles MLA violations for $1.25 million

    Federal Issues

    On January 19, the CFPB announced a settlement with a California-based online lender resolving allegations that the company violated the Military Lending Act (MLA) when making installment loans. This settlement is part of “the Bureau’s broader sweep of investigations of multiple lenders that may be violating the MLA,” which provides protections connected to extensions of consumer credit for active-duty servicemembers and their dependents. As previously covered by InfoBytes, last month the Bureau filed a complaint in the U.S. District Court for the Northern District of California alleging that since October 2016 the lender, among other things, made more than 4,000 single-payment or installment loans to over 1,200 covered borrowers in violation of the MLA. These violations included (i) extending loans with Military Annual Percentage Rates (MAPR) exceeding the MLA’s 36 percent cap; (ii) requiring borrowers to submit to arbitration in loan agreements; and (iii) failing to make certain required loan disclosures, including a statement of the applicable MAPR, before or at the time of the transaction.

    Under the terms of the settlement, the company is required to pay $300,000 in consumer redress and pay a $950,000 civil money penalty. The company is also be prohibited from committing future MLA violations and from “collecting on, selling, or assigning any debts arising from Void Loans.” Furthermore, the company is required to submit a compliance plan to ensure its extension of consumer credit complies with the MLA. This plan must include, among other things, a process for correcting information furnished to credit reporting agencies about affected consumers.

    Federal Issues CFPB Enforcement Military Lending Act Online Lending Courts Military Lending

    Share page with AddThis
  • CFPB files action against mortgage lender for unlawful practices

    Federal Issues

    On January 15, the CFPB announced a complaint filed in the U.S. District Court for the District of Connecticut against a mortgage lender and four executives (collectively, “defendants”) alleging the defendants engaged in unlawful mortgage lending practices in violation of TILA, FCRA, ECOA, the Mortgage Acts and Practices—Advertising Rule (MAP Rule), and the CFPA. According to the complaint, from as early as 2015 until August 2019 (i) unlicensed sales people would take mortgage applications and offer and negotiate mortgage terms, in violation of TILA and Regulation Z; (ii) company policy regularly required consumers to submit documents for verification before receiving a Loan Estimate, in violation of TILA and Regulation Z; (iii) employees would deny consumers credit without issuing an adverse action notice, as required by the FCRA or ECOA; and (iv) defendants regularly made misrepresentations about, among other things, the availability and cost savings of a FHA streamlined refinance loan, in violation of the MAP Rule. The Bureau is seeking an injunction, as well as, damages, redress, disgorgement, and civil money penalties.

    Federal Issues CFPB Enforcement Courts ECOA FCRA CFPA TILA Regulation Z MAP Rule Mortgages

    Share page with AddThis
  • Court dismisses data breach claims citing lack of compromised sensitive information

    Privacy, Cyber Risk & Data Security

    On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia allegedly accessed personal information without authorization, including guests’ names, addresses, phone numbers, email addresses, genders, birth dates and loyalty account numbers. The plaintiff’s suit alleged, among other things, violations of the California Consumer Privacy Act and the state’s Unfair Competition Law. While the hotel disclosed the incident last March and admitted that class members’ personal information was compromised, the court determined that the plaintiff lacked standing to bring claims after the hotel’s investigation found that “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” The court determined that the plaintiff failed to plausibly plead that any of the class members’ more sensitive data had fallen into the wrong hands, and that “[w]ithout a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.”

    Privacy/Cyber Risk & Data Security Courts Data Breach CCPA State Issues

    Share page with AddThis
  • Court says CFPB unconstitutionality argument strays from Supreme Court ruling in Seila


    On January 13, the U.S. District Court for the Middle District of Pennsylvania denied a student loan servicer’s motion for judgment on the pleadings, ruling that the servicer’s argument that the CFPB is unconstitutional “strays afar” from the U.S. Supreme Court’s finding in Seila Law LLC v. CFPB. The servicer previously argued that the Supreme Court’s finding in Seila (covered by a Buckley Special Alert)—which held that that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the CFPB—meant that the Bureau “never had constitutional authority to bring this action and that the filing of [the] lawsuit was unauthorized and unlawful.” The servicer also claimed that the statute of limitations governing the CFPB’s claims prior to the decision in Seila had expired, arguing that Director Kathy Kraninger’s July 2020 ratification came too late. However, the court determined, among other things, that “[n]othing in Seila indicates that the Supreme Court intended that its holding should result in a finding that this lawsuit is void ab initio.” The court further noted that the servicer’s assertion that the Bureau “‘never had constitutional authority to bring this action’ is belied by Seila’s implicit finding that the CFPB always had the authority to act, despite the Supreme Court’s finding that the removal protection was unconstitutional.”

    Courts CFPB Seila Law Single-Director Structure U.S. Supreme Court

    Share page with AddThis
  • California appellate court concludes lender’s arbitration provision unenforceable


    On January 11, the Court of Appeals of the State of California affirmed the denial of an auto lender’s motion to compel arbitration, concluding that the arbitration clause was invalid and unenforceable. According to the opinion, in May 2019, consumers filed a class action complaint alleging the lenders charged unconscionable interest rates in violation of California’s Unfair Competition Law (UCL) and Consumers Legal Remedies Act (CLRA). The company moved to compel arbitration, which the consumers opposed, arguing that the agreement was “procedurally and substantively unconscionable,” and that the California Supreme Court decision in McGill v. Citibank, N.A. (covered by a Buckley Special Alert here, holding that a waiver of the plaintiff’s substantive right to seek public injunctive relief is not enforceable) applied. The trial court denied the motion to compel arbitration, concluding that the McGill rule applied and that the injunctive relief provision could not be severed from the rest of the arbitration agreement because severability did not apply to the class waiver provision.

    On appeal, the state appellate court agreed with the trial court, concluding that the McGill rule applied. Specifically, the appellate court concluded that the injunctive relief the consumers were seeking “encompasses all consumers and members of the public,” and “an injunction under the CLRA against [the lender]’s unlawful practices will not directly benefit the Customers because they have already been harmed and are already aware of the misconduct.” Moreover, the appellate court determined that there is no precedent holding that “the remedy of public injunctions under CLRA and UCL should be limited to false advertising claims.” The court further concluded that the class waiver was not severable, stating that the lender’s argument that the arbitration agreement could not be determined void until after an appellate court reviews the viability of the class waiver was “illogical.” Accordingly, the appellate court affirmed the denial of the motion to arbitrate.

    Courts State Issues Arbitration Lending Consumer Finance

    Share page with AddThis
  • National bank settles merchant processing fee class action for $40 million


    On January 12, a national bank’s merchant services division agreed to pay up to $40 million to settle a class action alleging that the bank overcharged for payment processing services. According to the November 2017 amended complaint filed in the U.S. District Court for the Eastern District of New York, six small businesses alleged that the bank fraudulently induced merchant customers to enter into contracts by failing to properly disclose rates and charges that applied to their accounts. Specifically, the plaintiffs alleged that the bank induced merchants to retain its card payment processing services by promising low card processing fees at the time of enrollment but then charged higher rates and surcharges for the “vast majority of transactions.” Plaintiffs also alleged that the bank used an “upcharge” method, in which customers contract for “fixed” processing fees, but that the vast majority of transactions are ultimately deemed “non-qualified” and charged at higher rates than disclosed. Additionally, the bank allegedly told potential merchant customers that they could “cancel at any time without penalty,” when merchant customers that canceled prior to the expiration of the contract term were charged an “early termination fee [] of several hundred dollars.”

    Under the proposed settlement, the bank will pay up to $40 million—and no less than $27 million—to class members and cover attorneys’ fees and expenses, service awards, and settlement administration costs. Additionally, the bank, among other things, has agreed to (i) continue to allow customers to switch, penalty-free to a newer standard pricing plan from the fixed pricing plan; and (ii) modify contract terms to allow customers to leave without termination fees within 45 days of being assessed new or increased fees.

    Courts Merchant Services Class Action Payment Processors

    Share page with AddThis
  • National bank settles DACA discrimination class action


    On January 8, the U.S. District Court for the Northern District of California granted final approval to a settlement resolving allegations brought by a national class and a California class against a national bank concerning the denial of credit to recipients who held valid and unexpired Deferred Action for Childhood Arrivals (DACA) status. In a motion for preliminary settlement filed last June, the plaintiffs claimed that the bank allegedly determined DACA recipients to be ineligible for direct auto financing because of their noncitizen status, even though “[t]here is no federal or state law or regulation that prohibits banks from lending to non-citizens generally, or DACA recipients specifically, based on their status as non-citizens.” The bank moved to dismiss, claiming the plaintiffs failed to plead facts sufficient to state claims under the Equal Credit Opportunity Act and the Fair Credit Reporting Act. The parties engaged in discovery, but ultimately agreed to stay the case and engaged a mediator to assist with settlement discussions.

    Under the terms of the settlement, the bank is required to provide verified California class members up to $2,500 per claim and national class members up to $300 pending submission of a valid claim. The settlement also provides injunctive relief, a service award to the class representative, attorneys’ fees and costs, and settlement administration costs. Additionally, the bank will amend its direct auto lending practices in order “to extend loans to current and valid DACA recipients on the same terms and conditions as U.S. citizens,” and will provide class counsel an annual status report detailing the status of its programmatic relief for a two year period.

    Courts DACA Consumer Lending Auto Finance ECOA FCRA Consumer Finance

    Share page with AddThis
  • States seek to invalidate OCC true lender rule


    On January 5, the New York attorney general, along with the attorneys general from six other states and the District of Columbia filed a complaint against the OCC in the U.S. District Court for the Southern District of New York challenging the OCC’s “true lender” final rule. As previously covered by InfoBytes, in October 2020, the OCC issued a final rule addressing when a national bank or federal savings association is the “true lender” in the context of a partnership between a bank and a third party to provide certainty about key aspects of the legal framework that applies. The final rule amends 12 CFR Part 7 to state that a bank makes a loan when it, as of the date of origination, (i) is named as the lender in the loan agreement, or (ii) funds the loan. The complaint argues, among other things, that the OCC exceeded its statutory authority, and “acted in a manner contrary to centuries of case law [and] the OCC’s own prior interpretation of the law.” The attorneys general reject the OCC’s contention that the final rule is intended to address “‘ambiguity’ in provisions of three federal banking statutes that generally authorize National Banks to make loans,” and instead argue that the rule seeks to preempt state usury law and “infringe on the States’ historical police powers and facilitate predatory lending.” The complaint seeks a declaratory judgment that the OCC violated the Administrative Procedures Act and requests the court set aside the final rule as unlawful. 

    Courts State Attorney General OCC True Lender Valid When Made State Issues

    Share page with AddThis