Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 28, the FTC announced it is sending more than $3 million in refunds to businesses from an enforcement action against a Colorado-based digital marketplace company. In 2022, the FTC filed an administrative complaint alleging, among other things, that the defendant made false, misleading, or unsubstantiated claims regarding the quality and source of the leads it was selling to service providers, such as general contractors and small lawn care businesses (covered by InfoBytes here). As a result of its January proposed order, FTC will disperse 110,372 refunds to eligible home service providers, and is sending out 91,273 claims forms to businesses that paid for one of defendant’s services.
CFPB obtains stipulated judgment ordering student financing company to pay over $30 million in damages
On November 20, the United States Bankruptcy Court for the District of Delaware entered a stipulated judgment in favor of the CFPB and 11 other state enforcement agencies in connection with an adversary proceeding against a vocational training program. As previously covered by InfoBytes, the complaint alleged that the education firm (company) engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and misleading borrowers into believing that no payments would need to be made until they received a job offer. According to the CFPB, the company trained consumers to become sales development representatives, an entry-level role that requires “little or no prior sales experience or training,” and made promises it could not deliver on, such as promising a “6-figure” career in software sales. The company also initially priced its services at $2,500 in 2018, and then increased it to $15,000 the following year without any value justification. The company would recoup its payment through income share agreements (ISA). The CFPB alleged multiple causes of action against the company, including violations of the CFPA, TILA, and the FDCPA, among others. The stipulated judgment includes orders requiring the company to refund student borrowers, cancel outstanding loans, and permanently shut down.
On November 27, the NYDFS entered into a consent order with a title insurance company, which required the company to pay $1 million for failing to maintain and implement an effective cybersecurity policy and correct a cybersecurity vulnerability. The vulnerability allowed members of the public to access others’ nonpublic information, including driver’s license numbers, social security numbers, and tax and banking information. The consent order indicates the title insurance company discovered the vulnerability as early as 2018. The title insurance company’s failure to correct these changes violated Section 500.7 of the Cybersecurity Regulation.
In May 2019, a cybersecurity journalist published an article on the existence of a vulnerability in the title insurance company’s application, that led to a public exposure of 885 million documents, some found through search engine results. The journalist noted that “replacing the document ID in the web page URL… allow[ed] access to other non-related sessions without authentication.” Following the cybersecurity journalist’s article, and as required by Section 500.17(a) of the Cybersecurity Regulation, the title insurance company notified NYDFS of its vulnerability, at which point NYDFS investigated further. The title insurance company has been ordered to pay the penalty no later than ten days after the effective date.
On November 16, under California Corporations Code § 25532, the California Division of Financial Protection and Innovation (DFPI) issued a desist and refrain order against a securities investment platform for allegedly making false representations and material omissions to investors.
The DFPI alleges the investment platform sold securities in California on its website and the platform referred to them as “certificates.” The platform claimed that the certificates paid investors returns ranging from 2.5 percent to five percent in addition to guaranteed monthly returns. To solicit investors, the platform allegedly engaged in a multi-level marketing (MLM) structure that would have investors influence others to send money. DFPI alleged that the certificates were not qualified under the California Corporate Securities Law. DFPI also alleged that the platform omitted material information to investors, which included (i) falsely representing that the platform was partnered with a particular forex broker; (ii) representing that it was a licensed bank (while omitting that the “license” was granted by a “fictitious regulator”); (iii) using the terms “bank” and “banking” while omitting that it was not authorized to engage in the business of banking in California; (iv) misrepresenting profits and risk of loss; and (v) failing to disclose that its securities were not qualified in California.
On November 21, the DOJ seized nearly $9 million in stablecoins from cryptocurrency scammers after the criminals exploited over 70 victims. The DOJ seized stablecoins, a certain crypto asset pegged to a central bank’s currency, tied to the U.S. dollar. The scammers employed a long-con technique called “pig butchering” which is a tactic to build and exploit a victim’s trust over time by creating fake romantic enticements meant to swindle victims into handing over money. The criminals targeted and convinced victims to “make cryptocurrency deposits by fraudulently representing that the victims were making investments with trusted firms and cryptocurrency exchanges.”
The DOJ was able to trace the stolen funds based on the funds’ cryptocurrency addresses as part of a money laundering technique known as “chain hopping… used to ‘layer’ the proceeds of criminal activity into new cryptocurrency ecosystems, all to obfuscate the… ownership of those proceeds.” The DOJ worked with the U.S. Secret Service to trace the victim’s deposits, and it was originally alerted from victim reports made on the FBI’s Internet Crime Complaint Center and the FTC’s Consumer Sentinel Network.
On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.
In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.
On November 20, the SEC filed a complaint in the U.S. District Court of the Northern District of California against a crypto trading platform, which allows customers to buy and sell crypto assets through an online market, for allegedly acting as an unregistered securities exchange, broker, dealer, and clearing agency. The SEC is also claimed defendant’s business practices, internal controls, and recordkeeping were inadequate and presented additional risks to consumers, that would also be prohibited had defendant been properly registered with the commission. For instance, the SEC cited practices including commingling billions of dollars of consumers’ cash and crypto assets with defendant’s own crypto assets and cash, which defendant’s 2022 independent auditor identified as “a significant risk of loss."
Director of the SEC’s Division of Enforcement, Gurbir S. Grewal said, “[Defendant’s] choice of unlawful profits over investor protection is one we see far too often in this space, and today we’re both holding [defendant] accountable for its misconduct and sending a message to others to come into compliance.”
The SEC seeks to (i) permanently enjoin defendant from violating Section 5 and section 17A of the Exchange Act; (ii) permanently enjoin defendant from offering or selling securities through crypto asset staking programs; (iii) disgorge defendant’s allegedly illegal gains and pay prejudgment interest; and (iv) impose a civil money penalty.
On November 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against an Indiana bank for allegedly engaging in unsafe or unsound practices, related to corporate governance and enterprise risk management, credit underwriting and administration, liquidity risk management, and interest rate risk management. The order requires the bank to, among other things, (i) provide quarterly reports detailing corrective action and efforts to comply with the order; (ii) develop a written strategic plan; (iii) maintain specified capital ratios; (iv) engage an independent third party to review board and management supervision; (v) submit a written concentration risk management program and a written liquidity risk management program; (vi) adopt a credit underwriting and administration program; (vii) submit and adopt a written adequate allowance for credit losses; and (viii) adopt a written credit derivatives program.
On November 15, the CFPB announced a consent order against a Chicago-based small-dollar lender for allegedly violating a 2019 order and by independently violating the CFPA. According to the 2019 consent order, the respondent allegedly withdrew funds from consumers’ bank accounts without permission and failed to honor loan extensions. Specifically, the respondent replaced consumers’ bank account information used to pay for existing loans with separate account information supplied by a “lead generator.” Respondent allegedly debited consumers’ payments through the accounts provided by the lead generator, instead of the consumers’ originally saved payment method. The 2019 order, among other things, (i) barred the respondent from making or initiating electronic fund transfers without valid authorization; (ii) barred the respondent from failing to honor loan extensions; (iii) required the respondent to pay a $3.8 million civil money penalty. In its most recent order, the CFPB alleged that through an investigation of the respondent’s compliance with the 2019 order, the respondent continued the same unauthorized withdrawals and canceled loan extensions. The Bureau also alleged that the respondent failed to disclose that making a partial payment could cancel a loan extension and misrepresent associated fees, and they failed to provide consumers copies of signed authorizations. The respondent also allegedly provided inaccurate due dates, misrepresented skipping payments, and misrepresented loan amounts. The respondent released a statement on the enforcement action, highlighting its cooperation with the CFPB, and internal technical issues.
In the most recent order, the respondent, without admitting nor denying the CFPB’s allegations, agreed to pay a $15 million civil money penalty and refund affected consumers. The respondent also agreed to stop providing certain types of consumer loans for seven years (beginning in 2022) and to reform its executive compensation agreements and policies to ensure that compensation accounts for executives’ compliance with consumer financial protection laws, including the Consent Order. The respondent must conduct an annual compensation review and provide a report of the review to the CFPB.
On November 9, the SEC and DOJ charged two co-CEOs of a tech investment firm for allegedly directing a $100 million fraud scheme. The two individuals were the founders of a failed Fresno-based technology company and were charged with “conspiring to commit wire fraud and taking more than $100,000,000 from various businesses and individuals” under U.S.C. § 1349. The two founders allegedly misled investors through falsified documents, bank records, auditing reports, and accounting statements.
The DOJ alleges that, as recently as January 2022, “[the two individuals lied] to board members, investors, lenders, and others about [the company’s] finances to obtain investments, loans, and other funding… Much of the money went towards paying payroll, including the [co-CEOs’] $600,000 per year salaries.” Authorities discovered the alleged fraud scheme back in May 2023 when the company failed to make payroll and then terminated all its 900 employees. If convicted, the two founders face a maximum statutory penalty of 20 years in prison each and a $250,000 fine.