InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
CFPB denies debt collection law firm’s request to set aside CID
On February 10, the CFPB denied a debt collection law firm’s request to modify or set aside a third-party Civil Investigative Demand (CID) issued to the firm by the Bureau while investigating possible violations of the FDCPA, CFPA, and the FCRA. As previously covered by InfoBytes, the Bureau also denied a request by a debt collection company to modify or set aside a CID, which sought information about the company’s business practices and its relationship with the firm in the same investigation. The firm’s petition asserted arguments largely based on the theory that the CFPB’s structure is unconstitutional, and that the Dodd-Frank Act provides the Bureau’s director with “overly broad executive authority.” Alternatively, the firm argued that if the CID is not set aside, it should be modified, stating, among other things, that the CID’s scope exceeds applicable statutes of limitation.
As it did in the debt collection company’s request to set aside or modify the CID, the Bureau rejected the firm’s constitutionality argument, stating that “[t]he administrative process for petitioning to modify or set aside CIDs is not the proper forum for raising and adjudicating challenges to the constitutionality of provisions of the Bureau’s statute.” Additionally, the Bureau’s Decision and Order discounts the firm’s statute of limitations argument, contending that “the Bureau is not limited to gathering information only from the time period in which conduct may be actionable. Instead, what matters is whether the information is relevant to conduct for which liability can be lawfully imposed.” The Bureau also directed the firm to comply with the CID within ten days of the Order.
OCC releases January enforcement actions
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
CFPB requests 14% increase for FY 2020
In February, CFPB Director Kathy Kraninger submitted a budget proposal seeking, among other things, a 13.7 percent increase for fiscal year (FY) 2020. Notably, the increase runs counter to President Trump’s FY 2019 and FY 2020 budgets, which sought budget cuts for the CFPB of $147 million and $23 million respectively (with a proposed $110 million budget cut for FY 2021). According to the Bureau’s budget proposal, the increase reflects costs associated with “recently approved staffing targets after the Bureau ended the hiring freeze previously in place since FY 2018 as well as additional funding for new initiatives in pursuit of the Bureau’s mission and strategic goals.” Included in these goals are budget increases to support (i) additional consumer education initiatives; (ii) “additional qualitative disclosure testing to evaluate consumer usability” related to the model validation notices that are currently under development as part of the Bureau’s proposed debt collection rule; (iii) field and economic laboratory studies intended to improve the understanding of issues related to consumer financial disclosures; (iv) processing and analyzing consumer complaints; and (v) “increased staffing levels in the Supervision, Enforcement, and Fair Lending program responsible for conducting examination activities.”
CFPB, South Carolina, and Arkansas file charges in pension-advance scheme
On February 20, the CFPB, the South Carolina Department of Consumer Affairs, and the Arkansas attorney general filed a complaint in the U.S. District Court for the District of South Carolina against a South Carolina-based company and two of its managing partners (defendants) for allegedly violating the Consumer Financial Protection Act and the South Carolina Consumer Protection Code by working with a series of broker companies that brokered contracts offering high-interest credit to disabled veterans and other consumers in exchange for the assignment of some of the consumers’ unpaid earnings, monthly pensions, or disability payments. Under federal law, agreements under which a person acquires the right to receive a veteran’s pension or disability payment are void, and South Carolina law—which governs these contracts—“prohibits sales of unpaid earnings and prohibits assignments of pensions as security on payment of a debt.”
The complaint alleges that the defendants substantially assisted broker companies that allegedly engaged in deceptive and unfair acts or practices through the marketing and administration of high-interest credit. (Covered by InfoBytes here.) The defendants’ alleged actions include: (i) “developing a pre-approval or risk-assessment process for the contracts and conducting underwriting”; (ii) “approving or denying consumers’ applications to enter into the transactions”; (iii) “directing and administering the execution of the contracts”; (iv) “serving as the payment processor for the initial lump-sum payment and fees”; and (v) “continuing to serve as the transactions’ payment processor, tracking and controlling the collection and distribution of consumers’ payments on the contracts.” In addition, the Bureau alleges, among other things, that the defendants provided substantial assistance to the broker companies’ deceptive misrepresentations that consumers could be subjected to criminal prosecution if they breached their contracts. In addition, the defendants also allegedly collected on contracts brokered by the broker companies that were void from inception “by initiating ACH debts to take payments from consumers’ bank accounts,” demanding payments through letters and other communications, and filing suit against consumers who failed to make payments.
The complaint seeks injunctive relief, restitution, damages, disgorgement, and civil money penalties.
CFPB issues Winter 2020 Supervisory Highlights
On February 14, the CFPB released its winter 2020 Supervisory Highlights, which details its supervisory and enforcement actions in the areas of student loan servicing, payday lending, debt collection, and mortgage servicing. The findings of the report, which are published to assist entities in complying with applicable consumer laws, cover examinations that generally were completed between April and August of 2019. Highlights of the examination findings include:
- Debt collection. The Bureau cited violations of the FDCPA’s requirement that debt collectors must, after the initial written communication, disclose that their communications are from a debt collector. The report also included the failure of some debt collectors to provide a written validation notice to consumers within five days after the debt collector initially contacts the consumer regarding the collection of a debt.
- Payday lending. The Bureau found violations of the CFPA, including among other things, lenders failing to apply consumer payments to their loan balances and treating the accounts as delinquent. The Bureau also found weaknesses in employee training that resulted in providing consumers with inaccurate annual percentage rates in violation of Regulation Z.
- Mortgage servicing. The Bureau pointed out that servicers had violated Regulation X by failing to provide written acknowledgement of receipt of consumer loss mitigation applications, including whether the applications were complete or incomplete, within five days of receipt. Servicers also failed to provide in writing a list of loss mitigation options for which the consumer was eligible within 30 days of receiving a complete loss mitigation application.
- Student loan servicing. The Bureau noted that after loans were transferred, some servicers billed incorrect monthly amounts to the consumers.
The report notes that in response to most examination findings, the companies have taken or are taking remedial and corrective actions, including by identifying and compensating impacted consumers and updating their policies and procedures to prevent future violations. Lastly, the report also highlights the Bureau’s recently issued rules and guidance.
FTC seeks injunction against online investment training academy for deceptive claims
On February 12, the FTC filed a complaint in the U.S. District Court for the Central District of California against a California-based investment training operation alleging use of deceptive claims to sell costly “training programs” targeting older consumers. According to the complaint, the operation allegedly violated the FTC Act and the Consumer Review Fairness Act by using false or unfounded claims to market programs that purportedly teach consumers investment strategies designed to generate substantial income from trading in the financial markets “without the need to possess or deploy significant amounts of investable capital.” The FTC also alleges that the operation’s instructors claim to be successful traders who have amassed substantial wealth using the strategies, but are actually salespeople working on commission. However, the FTC asserts, among other things, that the operation fails to track customers’ trading results and that its earnings claims are false or unsubstantiated. Moreover, the FTC alleges the operation requires that dissatisfied customers requesting refunds sign agreements barring them from posting negative comments about the operation or its personnel, and specifically prohibits customers from reporting potential violations to law enforcement agencies. Among other things, the FTC seeks injunctive relief against the operation, as well as “rescission or reformation of contracts, restitution, the refund of monies paid, disgorgement of ill-gotten monies, and other equitable relief.”
CFPB denies debt collector’s request to set aside CID
On February 6, the CFPB released a Decision and Order denying a debt collection company’s (petitioner) request to set aside or modify a third-party Civil Investigative Demand (CID) issued by the Bureau, and directing the petitioner to provide all information required by the CID. The CID in dispute was issued to the petitioner by the CFPB in November and seeks documents and written responses pertaining to the petitioner’s business practices and its relationship with a New York-based debt collection law firm. The CID requests information regarding whether “debt collectors, furnishers, or associated persons” had, among other things, (i) violated the Consumer Financial Protection Act by ignoring warnings regarding debts resulting from identity theft “in a manner that was unfair, deceptive or abusive”; (ii) violated the FDCPA by disregarding cease-and-desist requests or by failing to provide required notices or making false or misleading statements; or (iii) violated the FCRA by “fail[ing] to correct and update furnished information, or fail[ing] to maintain reasonable policies and procedures.”
In its petition to set aside or modify the CID, the petitioner set out four primary arguments: (i) the structure of the CFPB is unconstitutional, and it therefore “lacks authority to proceed with enforcement activity”; (ii) the CID improperly seeks attorney-client privileged information; (iii) the CID is “overly broad,” does not apply to the petitioner, and does not sufficiently provide the “nature of the conduct under investigation and the applicable provisions of law”; and (iv) the CID improperly seeks information beyond the applicable statute of limitations.
The Bureau’s denial of the petitioner’s request addresses each of the petitioner’s arguments. Regarding the constitutionality of the CFPB’s structure, the order asserts that “the administrative process set out in the [B]ureau’s statute and regulations for petitioning to modify or set aside a CID is not the proper forum for raising and adjudicating challenges to the constitutionality of the [B]ureau’s statute.” In response to the petitioner’s attorney-client privilege argument, the order states that the petitioner “does not ask…to modify the CID to avoid seeking privileged information—it only asks that the CID be quashed in its entirety.” The Bureau states that because the petitioner makes a “blanket assertion” of attorney-client privilege rather than providing the required privilege log in order to properly claim privilege over materials requested in the CID before filing its petition, the petitioner’s argument is “procedurally improper” and does not show that the “CID should be set aside on these grounds.” To the petitioner’s lack of specificity argument, the order states that the CID “sets forth in detail both the conduct under investigation and applicable laws,” adding that there is no requirement that the Bureau disclose the targets of its “ongoing and confidential law-enforcement investigations.” The order also rejects the petitioner’s statute of limitations argument, explaining that the Bureau is not limited to the three years preceding the CID, but “instead what matters is whether the information is relevant to conduct for which liability can be lawfully imposed.”
Broker-Dealer settles with SEC for improper handling of ADRs
On February 6, the SEC announced a settlement with a broker-dealer to resolve allegations concerning the improper handling of pre-released American Depositary Receipts (ADRs), or “U.S. securities that represent foreign shares of a foreign company.” The SEC noted in its press release that ADRs can be pre-released without the deposit of foreign shares only if: (i) the broker-dealers receiving the ADRs have an agreement with a depository bank; and (ii) the broker-dealer or the broker-dealer’s customer owns the number of foreign shares that corresponds to the number of shares the ADR represents. According to the SEC’s Order Instituting Administrative Proceedings (order), the broker-dealer improperly borrowed pre-released ADRs from other brokers that it should have known did not own the foreign shares necessary to support the ADRs. The SEC also found that the broker-dealer failed to implement policies and procedures to reasonably detect whether its securities lending desk personnel were engaging in such transactions. The broker-dealer neither admitted nor denied the SEC’s allegations, but agreed to pay more than $326,000 in disgorgement, roughly $80,970 in prejudgment interest, and a $179,353 penalty. The SEC’s order acknowledged the broker-dealer’s cooperation in the investigation and that the broker-dealer had entered into tolling agreements.
NYDFS to take action against check cashing companies for BSA/AML violations
On February 3, NYDFS announced it intends to take enforcement action through an administrative proceeding against several check cashing entities for alleged violations of New York Banking Law and federal laws and regulations related to the business of check cashing. According to NYDFS, examinations revealed multiple concerns related to the entities’ Bank Secrecy Act/anti-money laundering (BSA/AML) program and transaction monitoring, including (i) inaccurate books and records; (ii) cashing post-dated checks; (iii) insufficient BSA/AML compliance; and (iv) inadequate risk-assessment procedures and customer identification and Know Your Customer programs. NYDFS also stated that management at the identified entities failed to implement effective controls to mitigate and manage BSA/AML compliance programs and Office of Foreign Assets Control risks despite “repeated criticism of the entities’ performance.”
NYDFS conducted a subsequent investigation, which found additional alleged violations that circumvented Federal and state banking laws, such as (i) hiring undisclosed employees who were paid “off the books”; (ii) conducting an unlicensed mobile check-cashing business; and (iii) and engaging in an illegal check-cashing scheme that structured transactions and falsified business records to give the appearance that checks were cashed on multiple dates, when in fact they were all cashed on a single date. The administrative proceeding to revoke the entities’ licenses and seek civil penalties will begin February 24.