Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
On June 24, the FTC finalized the “Free Electronic Credit Monitoring for Active Duty Military Rule,” which implements the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty military consumers. The proposed rule, issued in November 2018 (covered by InfoBytes here), defined the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify active duty military consumers within 24 hours of any material change. The proposal noted that CRAs may require that active duty military provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibited CRAs from requiring active duty military consumers to purchase a product in order to obtain the free service.
In response to comments on the proposal, the final rule refers to the definition of “active duty military consumer” in the FCRA, which requires that the servicemember be assigned to service away from their usual duty station, or be a member of the National Guard, regardless of whether the National Guard member is stationed away from their normal duty station. The FTC noted that commenters requested the requirement that the servicemember be stationed away from their normal duty station be eliminated but “the statutory language limit[ed] the Commission’s discretion on [the] topic.” However, the FCRA does not apply the same duty station requirement to the National Guard. Additionally, the final rule, among other things (i) requires CRAs to provide free access to a credit file when it notifies an active duty military consumer about a material change to the file; (ii) extends the amount of time the CRAs have to notify an active duty military consumer of a material change from 24 hours to 48 hours; and (iii) prohibits CRAs from requiring that active duty military consumers agree to terms or conditions as a requirement to obtain their free credit file, unless the terms or conditions are necessary to comply with certain legal requirements.
While the final rule goes into effect three months after publication in the Federal Register, CRAs will be allowed to comply with certain portions of the final rule by offering existing credit monitoring services to active duty military consumers for free, for a period of up to one year from the effective date.
On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.
On October 17, as part of its fall 2018 rulemaking agenda, the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation—scheduled to be presented to FTC commissioners at the end of November—will incorporate recommendations by staff and the public on changing the Gramm-Leach-Bliley Act Safeguard Rules (the Rule) given the potential conflict between the Rule and state, local, or other federal laws or regulations. As previously covered by InfoBytes, the FTC requested comments on the Rule in 2016, seeking feedback on several specific questions relating to the Rule’s economic impact and benefits, potential conflicts, and how technological, economic, or other industry changes will affect the Rule.
Among other things, the FTC’s regulatory agenda will also address (i) 2016 amendments to the Telemarking Sales Rule; (ii) the periodic review of identity theft rules; (iii) issues related to the privacy of consumer financial information concerning vehicle disclosures; and (iv) credit monitoring for active duty military as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
On June 26, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment, concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge did not involve unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report.
The court entered a judgment ordering the defendants to pay over $5 million in equitable monetary relief to the FTC and prohibiting defendants from, among other things, charging consumers for any credit monitoring services and disclosing or using any collected consumer information. The defendants must also submit to compliance reporting and monitoring by the FTC.
On October 26, the FTC agreed to a settlement of $760,000 with two affiliate marketers of a credit score business who allegedly committed deceptive acts to lure consumers into signing up for their monthly credit monitoring service for $30.00.
The settlement partly resolves a suit the FTC filed in January against the credit score company, the owner, and the company’s affiliate marketers. The FTC alleged that the defendants posted fake rental ads on Craigslist and required persons responding to the ads to obtain a purportedly “free” credit report from the company’s websites before viewing the property. The defendants, however, used the credit or debit card information consumers entered to obtain the credit report and enrolled consumers for a negative option credit monitoring service with a $30.00 monthly fee.
The order suspended the balance of the total $6.8 million judgment on the condition that the affiliate marketers pay the FTC the settled amounts. The claims against the company and the owner are ongoing.
On January 10, the FTC filed a complaint against an online company that owns three “free credit report” websites as well as three individuals connected to the company with claims that they illegally lured consumers to their websites. The scheme, as alleged in the complaint, made use of Craigslist ads promoting non-existent or unauthorized apartments and houses for rent as the means of encouraging consumers to request additional information, which would then prompt them to click on a link to one of the three websites owned by the company to get a “free” credit check. The consumers allegedly were then enrolled in a credit monitoring service, supposedly without their knowledge or consent. The company has purportedly accrued millions of dollars using this method. On January 11, the U.S. District Court for the Northern District of Illinois entered a temporary restraining order against the defendants.
On December 18, a group of House Democrats sent a letter urging the FTC to focus on the online marketing of products and services by consumer reporting agencies (CRAs). The lawmakers assert that CRAs “often require consumers to jump through hurdles, presumably in an effort to generate additional revenue.” The lawmakers suggest that certain CRAs’ websites mislead and confuse consumers, particularly with regard to the marketing of “free” consumer products and services that are conditioned upon consumers signing up for “costly add-on services such as ongoing credit monitoring.” The letter identifies the following specific practices for FTC scrutiny: (i) marketing “free” products or services that automatically convert to a monthly subscription if the consumer does not cancel within a trial period; (ii) “prominent” advertising of discount packages without disclosing that the initial small dollar enrollment fee converts into a subscription service; and (iii) requiring consumers to set up accounts before being granted access to their credit score or reports, while “barrag[ing]” consumers with add-on product offerings during the account registration process.
- Daniel P. Stipano to discuss "BSA/AML culture of compliance roundtable" at the FiSCA Annual Conference
- Daniel P. Stipano to discuss "Is there a better way to fight money laundering" at the FiSCA Annual Conference
- Michelle L. Rogers to discuss "What's trending in enforcement" at the Mortgage Bankers Association Annual Convention & Expo
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Buckley Webcast: Smoke and mirrors: Navigating the regulatory landscape in banking the marijuana industry
- H Joshua Kotin to discuss "CMS - Components of a successful monitoring program" at the RegList Annual Workshop
- Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Sherry-Maria Safchuk to discuss "Cybersecurity" at the RegList Annual Workshop
- Jeffrey P. Naimon to discuss "Hot topics in mortgage origination" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Sherry-Maria Safchuk to discuss "CCPA: Countdown to compliance – A discussion of common questions and what is next on the CA privacy horizon" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "Adapting to the rapidly changing compliance landscape involving marijuana and marijuana-related businesses" at an ACAMS webinar
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference