Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 19, the U.S. Court of Appeals for the Third Circuit affirmed a district court’s ruling in an FDCPA suit, finding that a defendant debt buyer was not required to be licensed under Pennsylvania law when it attempted to collect interest that had accrued at a rate of more than 6 percent under the original credit card agreement. According to the opinion, the plaintiff opened a credit card with a bank, which had an interest rate of 22.9 percent. The plaintiff defaulted on a debt he accrued on the card, and the debt was subsequently charged-off and sold by the bank to the defendant. The plaintiff argued that the defendant violated the FDCPA since the interest rate was limited by the Pennsylvania Consumer Discount Company Act (CDCA), which states that an unlicensed firm “in the business of negotiating or making loans or advances of money on credit [less than $25,000]” may not collect interest at an annual interest rate over 6 percent. The district court granted the defendant’s motion to dismiss, ruling that the defendant was entitled to collect interest above 6 percent because it held a license under a different state law.
On the appeal, the 3rd Circuit found that the CDCA applies to companies that arrange for or negotiate loans with certain parameters, and that there is nothing in the plaintiff’s amended complaint to suggest that the defendant is in the business of negotiating loans. The appellate court noted that the plaintiff’s allegations “indicate that [the defendant] purchases debt, such as [plaintiff’s] credit card account that [the bank had] charged off. But even with that allegation as a starting point, it is not reasonable to infer that an entity that purchases charged-off debt would also be in the business of negotiating or bargaining for the initial terms of loans or advances.” The appellate court further noted that “the amended complaint cuts against such an inference: it alleges that [the bank], not [the defendant], set the annual interest rate for [plaintiff’s] use of the credit card for loans and advances at 22.90%. Thus, with the understanding that negotiate means ‘to bargain’ and not ‘to transfer,’ [the plaintiff’s] allegations do not support an inference that [defendant] is in the business of negotiating loans or advances.”
District Court rules beneficiary bank without actual knowledge of wire transfer misdescription is not liable under Louisiana law
On September 22, the U.S. District Court for the Middle District of Louisiana granted summary judgment to a defendant beneficiary bank in an action concerning a fraudulent wire transfer that was allegedly sent to a hacker instead of the intended recipient. According to the opinion, the originating bank executed a wire transfer on behalf of the commercial plaintiff to a supplier. However, a hacker had inserted false account information into the supplier’s email to the plaintiff, causing the plaintiff’s instruction to the originating bank to indicate the wrong account at the beneficiary bank. As a result, the funds were deposited by the beneficiary bank into an account for which the account number did not match its account name. A large sum of the plaintiff’s money was thereupon withdrawn by a hacker from the account into which the funds had been deposited. The plaintiff sued asserting several claims, including, negligence and gross negligence, violations of the EFTA and the Louisiana’s Uniform Commercial Code (UCC), and aiding fraud. After all the claims except for the UCC claim were dismissed, the defendant moved for summary judgment on the grounds that it did not violate the UCC “because it did not have actual knowledge that the wire transfer at issue misdescribed the beneficiary prior to payment of the wire transfer as contemplated by that statute.”
The court ruled that based on the evidence, no reasonable juror could find that the defendant had actual knowledge of the misdescription at the time it made the transfer, explaining that the defendant did not have actual knowledge that a hacker had accessed the plaintiff’s wire transfer order, provided false instructions, and changed the target account number to its own. The court stated that under Louisiana law, a bank’s liability for completing a wire transfer that misidentifies a beneficiary or account number depends on whether it has “actual knowledge prior to payment that there was a misdescription of a beneficiary”—constructive knowledge is not actionable, the court said. The defendant also did not have actual knowledge of the misdescription prior to the payment, but rather acquired actual knowledge of the misdescription roughly two weeks later when the originating bank alerted the defendant of the alleged fraud. The court further contended that under Louisiana law a beneficiary bank that uses a fully automated payment system for wire transfers is allowed “to act on the basis of the number without regard to the name if the bank does not know that the name and number refer to different persons.”
District Court grants partial summary judgment to debt collector in credit reporting and debt collection action
On September 21, the U.S. District Court for the District of Maryland partially granted a defendant debt collector’s motion for summary judgment in a credit reporting and debt collection action. The plaintiff disputed debt related to two electric bills for two different residences that were eventually combined into one account. After the plaintiff informed the electric company that she would not be paying the bill, the debt was eventually referred for collection to the defendant. The plaintiff disputed the debt, and the defendant conducted an investigation. The plaintiff continued to contend that the defendant was certifying the debt without proof and claimed the defendant’s agents called her a liar and incorrectly asserted that she had not made payments. The defendant argued that it was entitled to summary judgment on the plaintiff’s FCRA and FDCPA claims, contending, among other things, that FCRA 1681e(b) “expressly applies to [credit reporting agencies] and not to furnishers.”
The court first reviewed the plaintiff’s FCRA claims as to whether the defendant conducted a reasonable investigation. The court stated that the plaintiff bore the burden to establish whether the defendant failed to conduct a reasonable investigation, and noted that because she failed to provide certain evidence to the defendant “there is no genuine dispute that the investigation conducted by [defendant] was not unreasonable” or that the defendant reported accurate information to the CRAs about the debt. With respect to some of the FDCPA claims, the court denied the defendant summary judgment on the basis that the plaintiff created a genuine dispute about whether the defendant violated § 1692d (the provision prohibiting a debt collector from engaging in harassment or abuse). According to the opinion, evidence suggests that the defendant’s agents incorrectly informed the plaintiff that she had never made a payment on one of the accounts, called her a liar when she protested this information, and used a “demeaning tone” in their communications. “[A] reasonable jury could conclude that the language would have the natural consequence of abusing a consumer relatively more susceptible to harassment, oppression, or abuse,” the court wrote.
Additionally, the court ruled on Maryland state law claims introduced in the plaintiff’s opposition to summary judgment. The court ruled against her Maryland Consumer Debt Collection Act claim regarding the alleged use of abusive language, writing that the agents were not “grossly abusive” and that the plaintiff failed to generate a genuine dispute on this issue. Nor did the plaintiff show a genuine dispute as to whether the debt was inaccurate or that the defendant knew the debt was invalid. The court also entered summary judgment in favor of the defendant on the plaintiff’s Maryland Consumer Protection Act and Maryland Collection Agency Licensing Act claims.
On September 19, the U.S. District Court for the District of Southern Florida granted final judgment against an individual to resolve SEC allegations regarding her involvement in a company that allegedly fraudulently misappropriated funds from investors. As previously covered by InfoBytes, the SEC’s complaint claimed that the individual was employed by the company and was the wife of a chief executive officer who falsely represented to many Venezuelan-American investors that the company would use their funds to finance payday loans through the offer and sale of “safe and secured or guaranteed” promissory notes. The complaint noted that the defendant “received at least $1.2 million of [the company’s] investor funds for no apparent legitimate business purpose,” in violation of the federal securities laws or any regulation or order issued under such laws, as set forth in the Bankruptcy Code. According to the order, the defendant must pay $994,000 in disgorgement and $83,000 in interest.
On September 15, the U.S. Court of Appeals for the Second Circuit held that New York’s interest-on-escrow law impermissibly interferes with the incidentals of national bank lending and is preempted by the National Bank Act (NBA). Plaintiffs in two putative class actions obtained loans from a national bank, one before and the other after certain Dodd-Frank provisions took effect. The loan agreements—governed by New York law—required plaintiffs to deposit money into escrow accounts. After the bank failed to pay interest on the escrowed amounts, plaintiffs sued for breach of contract, alleging, among other things, that under New York General Obligations Law (GOL) § 5-601 (which sets a minimum 2 percent interest rate on mortgage escrow accounts) they were entitled to interest. The bank moved to dismiss both actions, contending that GOL § 5-601 did not apply to federally chartered banks because it is preempted by the NBA. The district court disagreed and denied the bank’s motion, ruling first that RESPA (which regulates the amount of money in an escrow account but not the accruing interest rate) “shares a ‘unity of purpose’ with GOL § 5-601.” This is relevant, the district court said, “because Congress ‘intended mortgage escrow accounts, even those administered by national banks, to be subject to some measure of consumer protection regulation.’” Second, the district court reasoned that even though TILA § 1639d does not specifically govern the loans at issue, it is significant because it “evinces a clear congressional purpose to subject all mortgage lenders to state escrow interest laws.” Finally, with respect to the NBA, the district court determined that “the ‘degree of interference’ of GOL § 5-601 was ‘minimal’ and was not a ‘practical abrogation of the banking power at issue,’” and concluded that Dodd-Frank’s amendment to TILA substantiated a policy judgment showing “there is little incompatibility between requiring mortgage lenders to maintain escrow accounts and requiring them to pay a reasonable rate of interest on sums thereby received.” As such, GOL § 5-601 was not preempted by the NBA, the district court said.
On appeal, the 2nd Circuit concluded that the district court erred in its preemption analysis. According to the appellate court, the important question “is not how much a state law impacts a national bank, but rather whether it purports to ‘control’ the exercise of its powers.” In reversing the ruling and holding that that GOL § 5-601 was preempted by the NBA, the appellate court wrote that the “minimum-interest requirement would exert control over a banking power granted by the federal government, so it would impermissibly interfere with national banks’ exercise of that power.” Notably, the 2nd Circuit’s decision differs from the 9th Circuit’s 2018 holding in Lusnak v. Bank of America, which addressed a California mortgage escrow interest law analogous to New York’s and held that a national bank must comply with the California law requiring mortgage lenders to pay interest on mortgage escrow accounts (covered by InfoBytes here). Among other things, the 2nd Circuit determined that both the district court and the 9th Circuit improperly “concluded that the TILA amendments somehow reflected Congress’s judgment that all escrow accounts, before and after Dodd-Frank, must be subject to such state laws.”
In a concurring opinion, one of the judges stressed that while the panel concluded that the specific state law at issue is preempted, the opinion left “ample room for state regulation of national banks.” The judge noted that the opinion relies on a narrow standard of preempting only those “state laws that directly conflict with enumerated or incidental national bank powers conferred by Congress,” and stressed that the appellate court declined to reach a determination as to whether Congress subjected national banks to state escrow interest laws in cases (unlike the plaintiffs’ actions) where Dodd-Frank’s TILA amendments would apply.
On September 15, the U.S. Court of Appeals for the Tenth Circuit affirmed the CFPB’s administrative ruling against a Delaware-based online payday lender and its founder and CEO (respondents/petitioners) regarding a 2015 administrative enforcement action that alleged violations of the Consumer Financial Protection Act (CFPA), TILA, and EFTA. As previously covered by InfoBytes, in 2015, the CFPB announced an action against the respondents for alleged violations of TILA and the EFTA, and for engaging in unfair or deceptive acts or practices. Specifically, the CFPB alleged that, from May 2008 through December 2012, the online lender (i) continued to debit borrowers’ accounts using remotely created checks after consumers revoked the lender’s authorization to do so; (ii) required consumers to repay loans via pre-authorized electronic fund transfers; and (iii) deceived consumers about the cost of short-term loans by providing them with contracts that contained disclosures based on repaying the loan in one payment, while the default terms called for multiple rollovers and additional finance charges. The order required the respondents to pay $38.4 million as both legal and equitable restitution, along with $8.1 million in penalties for the company and $5.4 million in penalties for the CEO.
According to the opinion, between 2018 and 2021, the U.S. Supreme Court issued four decisions, Lucia v. SEC (covered by InfoBytes here), Seila Law v. CFPB (covered by a Buckley Special Alert here), Liu v. SEC (covered by InfoBytes here), and Collins v. Yellen (covered by InfoBytes here), which “bore on the Bureau’s enforcement activity in this case,” by “decid[ing] fundamental issues such as the Bureau’s constitutional authority to act and the appointment of its administrative law judges (‘ALJ’).” The decisions led to intermittent delays and restarts in the Bureau’s case against the petitioners. For instance, the opinion noted that two different ALJs decided the present case years apart, with their recommendations separately appealed to the Bureau’s director. The CFPB’s director upheld the decision by the second ALJ and ordered the lender and its owner to pay the restitution, and a district court issued a final order upholding the award. The petitioners appealed.
On appeal, the petitioners made three substantive arguments for dismissing the director’s final order. The petitioners argued that under Seila, the CFPB’s structure was unconstitutional and therefore the agency did not have authority to issue the order. The appellate court disagreed, stating that it is “to use a ‘scalpel rather than a bulldozer’ in remedying a constitutional defect,” and that “because the Director’s actions weren’t unconstitutional, we reject Petitioners’ argument to set aside the Bureau’s enforcement action in its entirety.”
The petitioners also argued that the enforcement action violated their due-process rights by denying the CEO additional discovery concerning the statute of limitations. The petitioners claimed that they were entitled to a “new hearing” under Lucia, and that the second administrative hearing did not rise to the level of due process prescribed in that case. The appellate court determined that there was “no support for a bright-line rule against de novo review of a previous administrative hearing," nor did it see a reason for a more extensive hearing.” Moreover, the petitioners “had a full opportunity to present their case in the first proceeding,” the 10th Circuit wrote. The appellate court further rejected the company’s argument regarding various evidentiary rulings, including permitting evidence about the company’s operational expenses, among other things. The appellate court also concluded that the CFPA’s statute of limitations commences when the Bureau either knows of a violation or, through reasonable diligence, would have discovered the violation. Therefore, the appellate court rejected the argument “that the receipt of consumer complaints triggered the statute of limitations.”
The petitioners also challenged the remedies order, claiming they were not allowed “to present evidence of their good-faith reliance on counsel (as to restitution and civil penalties) and evidence of their expenses (as to the Director’s residual disgorgement order).” The appellate court rejected that challenge, holding that the director properly considered all factors, including good faith, and rejected the petitioners’ challenge to the ALJ’s recommended civil penalties.
The 10th Circuit affirmed the district court’s order of a $38.4 million restitution award, rejecting the petitioners’ various challenges and affirming the director’s order.
On September 13, the FTC and CFPB (agencies) filed a joint amicus brief with the U.S. Court of Appeals for the Third Circuit, seeking the reversal of a district court decision that held furnishers of credit information are only obligated to investigate “bona fide” indirect disputes and may choose to decline to investigate other indirect disputes raised by consumers that are deemed frivolous. The agencies argued that this “atextual, judge-made exception” could undermine a key FCRA protection that allows consumers to dispute and correct inaccurate information in their credit reports, leading to a likely increase in consumer complaints related to credit reporting inaccuracies. Under the FCRA, consumers may file a direct dispute with a furnisher or file an indirect dispute with a consumer reporting agency (CRA), which may refer the dispute to the furnisher.
The case involves a direct dispute submitted by a plaintiff to a cable company, requesting an investigation into an allegedly fraudulent delinquent account listed on his credit report. The plaintiff informed the cable company that he was a victim of identity theft and that the account was opened in his name without his authorization. The cable company eventually referred the account to a debt collector (defendant) for collection after the plaintiff failed to provide requested information showing his account was opened due to fraud. An indirect dispute was later filed by the plaintiff with the CRA, which in turn sent the dispute to the defendant as the furnisher of the allegedly inaccurate information. After a second indirect dispute was filed noting the allegedly fraudulent account was the subject of litigation, the defendant removed the account from the plaintiff’s credit report and ceased collections. The plaintiff sued, asserting claims under the FCRA, FDCPA, and Pennsylvania law. The district court granted summary judgment in favor of the defendant, ruling that the plaintiff failed to provide evidence substantiating the basis of his dispute, and that “a furnisher is obligated to investigate only ‘bona fide’ indirect disputes and may therefore decline to investigate any indirect dispute it deems frivolous.”
In urging the appellate court to overturn the decision, the agencies countered in their amicus brief that the text of the FCRA is unambiguous—“furnishers must investigate all indirect disputes.” Nothing in the text suggests that a furnisher can choose not to investigate an indirect dispute if it determines it to be frivolous, the agencies stressed, further noting that if Congress intended to “create an exception for frivolous disputes, it knew how to do so,” and that in other parts of the statute Congress expressly provided that certain frivolous disputes do not need to be investigated.
The amicus brief also pointed out that under the FCRA, consumers are entitled to be notified about the outcome of their disputes, as well as given an opportunity to cure any deficiencies. The district court holding, the agencies said, would circumvent these requirements, thereby undercutting a central remedy under the FCRA that ensures consumers are able to dispute and correct inaccurate information in their credit reports. If furnishers were able to ignore disputes referred to them by CRAs, it could open an unintended loophole that would allow disputes to disappear “into a proverbial black hole,” the agencies asserted, emphasizing that if the district court’s interpretation is affirmed, consumers who submit an indirect dispute that is deemed frivolous by a furnisher may never receive any notice of that determination, and therefore, may never be able to cure any deficiencies or correct erroneous information in their credit reports.
The agencies also challenged whether the exception created by the district court’s ruling is necessary, as the FCRA already provides protections to furnishers from investigating frivolous disputes. Specifically, the statute allows CRAs to determine if a dispute a frivolous before forwarding a dispute to the furnisher. Moreover, furnishers “are not required to conduct an unreasonably onerous investigation into a conclusory or unsubstantiated dispute,” the agencies explained, stating that whether a furnisher has satisfied its obligation to conduct a reasonable investigation is normally a fact-intensive question for trial.
The Bureau noted in an accompanying blog post that it has also filed several other amicus briefs in other pending FCRA cases (previously covered by InfoBytes here) related to consumer reporting obligations.
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
On September 14, the U.S. Court of Appeals for the Second Circuit reversed a district court’s order denying a credit union’s motion to compel arbitration in a case involving the “unique question” of “whether and how to address incorporation by reference in web-based contracts under New York law.” The plaintiff claimed that the credit union wrongfully assessed and collected overdraft and insufficient funds fees on checking accounts that were not actually overdrawn. After the credit union moved to compel arbitration pursuant to a mandatory arbitration clause and class action waiver provision contained in the account agreement, the plaintiff argued that she was not bound by these provisions because they were not included in the original agreement and the credit union did not notify her when it added them to the agreement. According to the credit union, the plaintiff was on inquiry notice of the modified agreement because she separately agreed to an internet banking agreement that incorporated the modified account agreement by reference, and because the modified account agreement was published on the credit union’s website, which the plaintiff used for online banking. The district court disagreed, finding, among other things, that the hyperlink and language related to the account agreement appeared to be “buried” in the internet banking agreement.
On appeal, the 2nd Circuit held that the district court “erred in engaging in the inquiry notice analysis, which requires an examination of the ‘design and content’ of the webpage, without reviewing the actual screenshots of the web-based contract.” Recognizing that the internet banking agreement was a “clickwrap” or a “scrollwrap” agreement, the appellate court explained that it has “consistently upheld such agreements because the user has affirmatively assented to the terms of the agreement by clicking ‘I agree’ or similar language.” While the plaintiff did not dispute that she signed up for internet banking, this did not end the court’s analysis; according to the 2nd Circuit, when addressing questions concerning digital contract formation, “courts also evaluate visual evidence that demonstrates ‘whether a website user has actual or constructive notice of the conditions.’” The credit union did not provide evidence showing how the internet banking agreement was presented to users—thereby preventing the district court from assessing whether the relevant language and hyperlink were clear and conspicuous. The 2nd Circuit, therefore, instructed the district court to consider on remand the design and content of the internet banking agreement “as it was presented to users” to determine whether the plaintiff agreed to its terms, and to assess whether the account agreements are “clearly identified and available to the users” based on applicable precedents regarding inquiry notice of terms in web-based contracts.
On September 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement in a data breach suit. As previously covered by InfoBytes, in July 2019, a national bank (defendant) announced that an unauthorized individual had obtained the personal information of credit card customers and applicants. In May 2020, a magistrate judge ordered the defendant to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the defendant’s 2019 data breach, concluding the report was not entitled to work product protection. According to the final settlement, members of the settlement class, which includes approximately 98 million U.S. residents whose information was compromised in the breach disclosed in July 2019, will receive cash compensation for out-of-pocket losses traceable to the data breach, cash compensation for time spent addressing with issues related to the breach, and at least three years of identity theft defense and resolution services. Counsel can seek fees and court costs of 35 percent of the settlement fund. Additionally, each of the eight settlement class representatives could receive $5,000 in service awards, and the other plaintiffs who were deposed by the defendant will receive service awards.
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference