Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
In its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The proposed consent order requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the proposed consent order requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On June 6, the FTC announced that it submitted its 2018 Annual Financial Acts Enforcement Report to the CFPB. The report—which the Bureau requested for its use in preparing its 2018 Annual Report to Congress—covers the FTC’s enforcement activities regarding Regulation Z (the Truth in Lending Act or TILA), Regulation M (the Consumer Leasing Act or CLA), and Regulation E (the Electronic Fund Transfer Act or EFTA). Highlights of the enforcement matters covered in the report include:
- Auto Lending and Leasing. The report discusses two enforcement matters related to deceptive automobile dealer practices. The first, filed in August 2018, alleged that a group of four auto dealers, among other things, advertised misleading discounts and incentives in their vehicle advertisements, and falsely inflated consumers’ income and down payment information on financing applications. The charges brought against the defendants allege violations of the FTC Act, TILA, and the CLA. The FTC sought, among other remedies, a permanent injunction to prevent future violations, restitution, and disgorgement. (Detailed InfoBytes coverage of the filing is available here.) In the second, in December 2018, the FTC mailed over 43,000 checks, totaling over $3.5 million, to consumers allegedly harmed by nine dealerships and owners engaged in deceptive and unfair sales and financing practices, deceptive advertising, and deceptive online reviews. (Detailed InfoBytes coverage is available here.)
- Payday Lending. The report covers two enforcement matters, including the U.S. Court of Appeals for the 9th Circuit’s December 2018 decision upholding the $1.3 billion judgment against defendants responsible for operating an allegedly deceptive payday lending program. The decision is the result of a 2012 complaint in which the FTC alleged that the defendants engaged in deceptive acts or practices in violation of Section 5(a) of the FTC Act by making false and misleading representations about costs and payment of the loans. (Detailed InfoBytes coverage is available here.) The report also indicates that, in February 2018, the FTC issued over 72,000 checks totaling more an $2.9 million to consumers stemming from a July 2015 settlement, that alleged that online payday operators used personal financial information purchased from third-party lead generators or data brokers to make unauthorized deposits into and withdrawals from consumers’ bank accounts, regardless of whether the consumer applied for a payday loan. (Detailed InfoBytes coverage is available here.)
- Negative Option. The report covers six enforcement matters related to alleged violations of the EFTA and Regulation E for “negative option” plans, including three new filings against online marketers for allegedly advertising “free trial” offers for products that enrolled consumers in expensive, ongoing plans without their knowledge or consent. The report notes that, in 2018, the FTC reached a settlement with one entity and obtained a court judgment against another, both resulting in injunctive relief and monetary settlements (which were suspended due to the defendants’ inability to pay). The report also notes that the FTC mailed 2,116 refund checks totaling more than $355,000 to people who bought an allegedly deceptive “memory improvement” supplement.
Additionally, the report addresses the FTC’s research and policy efforts related to truth in lending and leasing, and electronic fund transfer issues, including (i) a study of consumers’ experiences in buying and financing automobiles at dealerships; and (ii) the FTC’s Military Task Force’s work on military consumer protection issues. The report also outlines the FTC’s consumer and business education efforts, which include several blog posts warning of new scams and practices.
On May 31, the FDIC announced its release of a list of administrative enforcement actions taken against banks and individuals in April. The list reflects that the FDIC issued 17 orders, which includes “two consent orders; three terminations of consent orders; five Section 19 orders; three removal and prohibition orders; and four orders to pay civil money penalty.” Among other actions, the FDIC assessed civil money penalties against three separate banks (see here, here, and here) for alleged violations of the Flood Disaster Protection Act, including failing to (i) obtain flood insurance coverage on loans at or before origination; (ii) maintain, increase, extend, renew, or provide written notification to borrowers concerning flood insurance coverage on loans secured by collateral located in special flood hazard areas; (iii) follow force-placement flood insurance procedures; or (iv) provide borrowers with notice of the availability of federal disaster relief assistance within a reasonable timeframe.
The FDIC also assessed a civil money penalty against a New York-based bank related to alleged violations of the Bank Secrecy Act.
OFAC issues Finding of Violation, no penalties, against bank for alleged Iranian sanctions violations
On May 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a Finding of Violation against a bank, acting as a trustee for a customer, for violations of the Iranian Transactions and Sanctions Regulations (ITSR). According to the announcement, OFAC’s Finding of Violation was based on the fact that the bank processed at least 45 pension payments totaling over $11,000 to a U.S. citizen with a U.S. bank account, residing in Iran. After learning of and reporting the issue to OFAC, the bank modified its review and reporting process to ensure that retirement payments are screened by the right screening platform and that sanctions alerts are handled through the appropriate process, including review by compliance specialists with expertise in sanctions.
When issuing a Finding of Violation against the bank, as opposed to a civil money penalty, OFAC considered the fact that, among other things, (i) no managers or supervisors appear to have been aware of the conduct that led to the violations; (ii) the payments at issue may not have actually been transferred to Iran; (iii) the bank took remedial action in response to the violations; and (iv) the bank cooperated with OFAC by self-disclosing the alleged violations and agreeing to tolling the matter with extensions.
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
On May 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include personal cease-and-desist orders, removal and prohibition orders, notice of charges against an individual, and terminations of existing enforcement actions against individuals and banks. The release also includes two civil money penalty orders discussed below.
On April 9, the OCC assessed $35,000 in civil money penalties against an Oklahoma-based bank for an alleged pattern or practice of violations of the Flood Disaster Protection Act and its implementing regulations. Additionally, on April 24, the OCC assessed $136,000 in civil money penalties against a Texas-based bank for an alleged pattern or practice of failing to ensure timely notification and force-placement of flood insurance on property in special flood hazard areas, in violation of the National Flood Insurance Act.
On May 17, the CFPB announced it filed a lawsuit in the U.S. District Court for the Eastern District of New York against a New York debt-collection law firm. According to the Bureau’s complaint, between 2014 and 2016 the law firm allegedly initiated more than 99,000 collection lawsuits in an attempt to collect debts through reliance on “non-attorney support staff, automation, and both a cursory and deficient review of account files,” in violation of both the FDCPA and the Consumer Financial Protection Act. The Bureau alleges the lawsuits contained names and signatures of attorneys despite those attorneys “not being meaningfully involved in reviewing the merits of the lawsuits,” including not reviewing pertinent documentation related to the debts, such as account applications, billing statements, payment histories, and the terms and conditions governing an account. The law firm allegedly did not perform reviews of the contracts related to debt sales, despite filing lawsuits on behalf of debt buyers that have been accused of unlawful debt collection practices. The Bureau is seeking an injunction, damages, redress to consumers, and the imposition of a civil money penalty.
On May 16, the Federal Reserve Board (Board) announced an enforcement action against a Nebraska-based bank for allegedly violating the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $69,000 penalty against the bank, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty for a pattern or practice of violations under the NFIA is $2,000 per violation.
The same day, the Board issued an order of prohibition against a former employee and institution-affiliated party of an Illinois-based bank for allegedly engaging in unsafe and unsound lending practices, including engaging in improper lending practices and failing to implement adequate Bank Secrecy Act/anti-money laundering controls and training. The terms of the order prohibit the individual from, among other things, “participating in any manner in the conduct of the affairs of any financial institution or organization specified in section 8(e)(9)(A) of the [Federal Deposit Insurance Act],” or “voting for a director, or serving or acting as an institution-affiliated party.”
On May 2, the CFPB announced that it had filed a lawsuit against Utah-based credit repair telemarketers and their affiliates (defendants) for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA). According to the complaint filed in the U.S. District Court for the District of Utah, the CFPB alleges the defendants charged consumers a fee for telemarketed credit repair services when they signed up for the services, and then monthly thereafter, without (i) waiting for the timeframe in which they represented their services would be provided to expire; and (ii) demonstrating that the promised results have been achieved, in the form of a consumer report issued more than six months after those results were achieved, as required by the TSR. Additionally, the CFPB alleges that certain defendants made false and misleading claims constituting deceptive acts under the CFPA. Specifically, the CFPB alleges those defendants marketed that guaranteed, or high-likelihood, loans or rent-to-own housing offers would be available through affiliates after signing up for credit repair services when in actuality, the products were not available. The CFPB is seeking restitution, civil money penalties, and injunctive relief against the defendants.
On April 29, NYDFS announced its newly created Consumer Protection and Financial Enforcement Division, led by Katherine Lemire as Executive Deputy Superintendent. The new office combines the Enforcement and Financial Frauds division with the Consumer Protection division and is responsible for ensuring compliance, fighting consumer fraud, and assisting NYDFS with the enforcement of the state’s Banking, Insurance and Financial Services laws. The office will have a particular investigative focus on the response to cybersecurity events and the creation of supervisory, regulatory and enforcement policy in the area of financial crimes. Prior to her new role, Lemire served as Assistant United States Attorney in the Southern District of New York where she investigated complex federal crimes, and as a prosecutor in the Manhattan District Attorney’s Office.
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference