Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC obtains $191 million from for-profit school for deceptive ads

    Federal Issues

    On December 10, the FTC announced a settlement with a for-profit school and its parent company to resolve allegations that they employed deceptive advertisements in violation of the FTC Act that gave the impression that the school had relationships and job opportunities with various technology companies and tailored curricula to those jobs. In the complaint, the FTC claims the defendants relied upon false and misleading advertisements to attract prospective students that gave the impression that the school’s relationship with certain companies would create employment opportunities. In addition, the FTC alleges that while the defendants claimed the companies also worked with the school to develop its courses, in reality the partnerships were primarily marketing relationships that did not create jobs or curricula for the school’s students. Moreover, the FTC claims that some of these advertisements specifically targeted current and former military members and Hispanic consumers. Under the terms of the settlement, the school is required to pay $50 million in consumer redress and cancel approximately $141 million in student loan debts owed to the school by former students who first enrolled during the covered period.

    The FTC’s press release notes, however, that the “settlement will not affect student borrowers’ federal or private loan obligations,” and directs borrowers to the Department of Education’s income-driven repayment plans for guidance on lowering monthly payments. The FTC also states that borrowers who believe they may have been defrauded or deceived can apply for loan forgiveness through the Borrower Defense to Repayment procedures.

    Federal Issues FTC Enforcement FTC Act UDAP Advertisement Student Lending

  • FTC says British data analytics firm misled consumers about collection of personal information

    Federal Issues

    On December 6, the FTC issued an unanimous opinion against a British consulting and data analytics firm, finding that the firm violated the FTC Act by engaging in “deceptive practices to harvest personal information from tens of millions of [a social media company’s] users.” The information—which was allegedly collected through an application that told users it would not harvest identifiable information—was then used to target potential voters. The opinion also found that the firm engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework. The opinion follows an administrative complaint issued against the firm in July (previously covered by InfoBytes here). Under the terms of the administrative final order, the firm is prohibited from misrepresenting “the extent to which it protects the privacy and confidentiality of personal information as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations,” and it must apply Privacy Shield protections to personal information collected during its participation in the program or return or delete the information. Among other things, the firm also must delete or destroy the personal information collected from consumers through the app, as well as any other information or work product that originated from the information.

    Federal Issues FTC Act Enforcement Privacy/Cyber Risk & Data Security UDAP Deceptive

  • Senate holds hearing on privacy law proposals

    Federal Issues

    On December 4, the Senate Commerce Committee held a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy” to discuss how to “provide consumers with more security, transparency, choice, and control over personal information both online and offline.” Among the issues discussed at the hearing was how consumer privacy rights should be enforced. As previously covered by InfoBytes, some FTC commissioners, at a hearing earlier this year, expressed that authorization to enforce federal privacy laws should vest not only in the FTC, but also in the states’ attorneys general. At the Senate hearing, there was testimony suggesting that the FTC is spread too thin to be in charge of enforcing new privacy laws. At least one witness championed state privacy regulation, while other witnesses endorsed preemption of the state laws by the envisioned federal privacy law. Although different views were expressed regarding what the law should look like, the hearing participants generally seemed to agree that a federal privacy law may be needed now in light of recent state legislative agendas and, as one Senator raised, the growing use of artificial intelligence.

    Federal Issues Privacy/Cyber Risk & Data Security FTC U.S. Senate Hearing Preemption Enforcement

  • FDIC posts enforcement actions manual

    Agency Rule-Making & Guidance

    On December 2, the FDIC announced the release of its full enforcement manual (manual). According to Financial Institution Letter (see FIL-76-2019), the manual, which was posted to the FDIC website, is meant to “support the work of field office, regional office, and Washington office staff involved in processing and monitoring enforcement actions.” The letter states that the manual was released to promote “greater transparency” to FDIC-insured institutions and other concerned parties as to the agency’s enforcement policies and procedures. Additionally, the letter cautions that the manual “does not interpret any law or regulation” nor does it “establish supervisory requirements” or “industry guidance.”

    Agency Rule-Making & Guidance FDIC Banking Enforcement

  • OFAC announces settlement with company that allegedly processed payments for sanctioned entity

    Financial Crimes

    On November 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $466,912 civil settlement with a California-based technology company to resolve alleged violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). According to OFAC, the company voluntarily disclosed that it hosted a sanctioned Slovenian software developer on its platform and collected more than $1 million in payments from customers who downloaded the developer’s apps. The company’s actions—which included hosting, selling, and facilitating the transfer of the developer’s software and associated content, as well as processing 47 payments between 2015 and 2017—were in violation of the FNKSR because OFAC’s List of Specially Designated Nationals and Blocked Persons identified the developer as a significant foreign narcotics trafficker (SDNTK).

    In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the company voluntarily disclosed the violations and continued to cooperate by promptly responding to information requests; (ii) the volume and payment amounts were not significant when compared to the company’s annual total volume of transactions; (iii) OFAC has not issued a violation against the company in the five years preceding the earliest date of the transactions at issue; and (iv) the company has strengthened its compliance program to minimize the risk of recurrence.

    OFAC also considered various aggravating factors, including that (i) the alleged conduct demonstrated a “reckless disregard for U.S. sanctions requirements”; (ii) the company’s processing of payments conferred a significant economic benefit to the developer; and (iii) the company failed to timely take corrective actions after identifying the developer as a SDNTK and continued to process payments.

    Financial Crimes Sanctions Of Interest to Non-US Persons Enforcement Department of Treasury OFAC

  • Kraninger hints at new consent order policy

    Federal Issues

    On November 22, in a speech at The Clearing House + Bank Policy Institute Annual Conference, CFPB Director Kathy Kraninger noted that the Bureau is considering changes to its consent order process to “ensur[e] consent orders remain in effect only as long as needed to achieve their desired effects.” Specifically, Kraninger discussed that while most consent orders are effective for five-year periods and companies can request early termination or termination of indefinite orders, the Bureau has only terminated “a few” consent orders in the past. Similar to the Bureau’s recent changes to its Civil Investigative Demand (CID) policy (covered by InfoBytes here), Kraninger stated that the Bureau intends to announce an updated consent order policy “soon,” in order to “provide clarity and consistency.”

    Federal Issues CFPB Enforcement Consent Order CIDs

  • Warren and Brown ask CFPB for breakdown on fair lending enforcement

    Federal Issues

    On November 25, Senators Elizabeth Warren (D-Mass) and Sherrod Brown (D-Ohio) wrote to CFPB Director Kathy Kraninger requesting a breakdown of how the Bureau enforces fair lending laws in light of recent allegations brought against a global financial services company that reportedly offered lower credit limits to women than to similarly creditworthy men. According to the Senators, the allegations raise questions as to whether a pattern of sex discrimination exists in the underwriting of the credit product and “underscore the importance of the CFPB adequately monitoring the lending practices of financial institutions . . . that are new to the consumer lending space.” The Senators also expressed concern that adjustments to the structure of the Bureau under President Trump’s administration have affected its “commitment to enforcing fair lending laws and carrying out its statutory responsibilities.” (Previous InfoBytes coverage here.) The Senators stated: “We’re concerned that this new structure, where many offices have varying degrees of authority, may allow new potentially discriminatory products to get to market without adequate oversight.” Specifically, the Senators asked the Bureau to respond to the following questions by December 9: (i) how does the Bureau “prioritize and evaluate risk when determining which financial institutions to examine for compliance with fair lending laws”; (ii) has the Bureau ever conducted a supervisory examination of the global financial services company’s fair lending compliance management system; (iii) have changes made to the Bureau’s structure affected its fair lending enforcement abilities; and (iv) are the Bureau’s standards used to determine violations of ECOA different under Director Kraninger. 

    Federal Issues CFPB U.S. Senate Fair Lending Enforcement

  • CFPB settles with two military loan companies

    Federal Issues

    On November 25, the CFPB announced a settlement with two companies that originated and serviced travel-related loans for military servicemembers and their families. According to the consent order with the lender and its principal, the lender (i) charged fees to customers who obtained financing, at a higher rate than those customers who paid in full, but failed to include the fee in the finance charge or APR; (ii) falsely quoted low monthly interest rates to customers over the phone; and (iii) failed to provide the required information about the terms of credit and the total of payments in violation of TILA and the TSR. The consent order prohibits future lending targeted to military consumers and requires the lender and its principal to pay a civil money penalty of $1. The order also imposes a suspended judgment of almost $3.5 million, based on an inability to pay.

    In its consent order against the servicer, the Bureau asserts the servicer engaged in deceptive practices by overcharging servicemembers for debt-cancellation products and, in violation of the FCRA’s implementing Regulation V, never established or maintained written policies and procedures regarding the accuracy of information furnished to credit reporting agencies. The consent order issues injunctive relief and requires the servicer to (i) pay a $25,000 civil money penalty; (ii) provide redress to consumers who were allegedly overcharged for the debt-cancellation product; (iii) pay over $54,000 in restitution to borrowers with no outstanding balance on their loans and issue additional account credits to borrowers with outstanding balances; and (iv) establish reasonable policies and procedures for accurate reporting to consumer reporting agencies.

    Federal Issues CFPB Military Lending Servicemembers TILA TSR CFPA FCRA Enforcement Settlement

  • CFPB reaches $8.5 million settlement with background screening company

    Federal Issues

    On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.

    Federal Issues CFPB FCRA Consumer Reporting Courts Settlement Civil Money Penalties Enforcement

  • New York considers privacy legislation broader than the CCPA

    Privacy, Cyber Risk & Data Security

    On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act, SB S5642 (the Act). The Act was introduced in May and seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York State or produce products or services that are intentionally targeted to residents of New York State. The Act contains different provisions than the California Consumer Privacy Act (CCPA), which is set to take effect on January 1, 2020 (visit here for InfoBytes coverage on the CCPA). Highlights of the Act include:

    • Fiduciary Duty. Most notably, the Act requires that legal entities “shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Specifically, the Act states that personal data of consumers “shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent.” The Act imposes a duty of care on every legal entity, or affiliate of a legal entity, with respect to securing consumer personal data against privacy risk and requires prompt disclosure of any unauthorized access. Moreover, the Act requires that legal entities enter into a contract with third parties imposing the same duty of care for consumer personal data prior disclosing, selling, or sharing the data with that party.
    • Consumer Rights. The Act requires covered entities to provide consumers notice of their rights under the Act and provide consumers with the opportunity to opt-in or opt-out of the “processing of their personal data” using a method where the consumer must clearly select and indicate their consent or denial. Upon request, and without undue delay, covered entities are required to correct inaccurate personal data or delete personal data.
    • Transparency. The Act requires covered entities to make a “clear, meaningful privacy notice” that is “in a form that is reasonably accessible to consumers,” which should include: the categories of personal data to be collected; the purpose for which the data is used and disclosed to third parties; the rights of the consumer under the Act; the categories of data shared with third parties; and the names of third parties with whom the entity shares data. If the entity sells personal data or processes data for direct marketing purposes, it must disclose the processing, as well as the manner in which a consumer may object to the processing.
    • Enforcement. The Act defines violations as an unfair or deceptive act in trade or commerce, as well as, an unfair method of competition. The Act allows for the attorney general to bring an action for violations and also prescribes a private right of action on any harmed individual. Covered entities are subject to injunction and liable for damages and civil penalties.

    According to reports, state lawmakers at the November hearing indicated that federal requirements would be “the best scenario,” but in the absence of Congressional movement in the area, one state senator noted that the state legislators must “assure [their] constituents that [the state legislature is] doing everything possible to protect their privacy.” Witnesses expressed concern that the Act would be placing too many new requirements on businesses that differ from what other states have already enacted, and encouraged more consistent baseline standards for compliance instead of a patchwork approach. Some witnesses expressed specific concern with the opt-in requirement for the collection and use of consumer data, noting that waiting on consumers to opt-in, as opposed to just opting-out, makes compliance difficult to administer. Lastly, many witnesses were displeased about the broad private right of action in the Act, but consumer groups praised the provision, noting that the state attorney general does not have the resources to regulate and enforce against all the data collection and sharing in the state.

    Privacy/Cyber Risk & Data Security State Legislation State Issues Enforcement State Attorney General

Pages

Upcoming Events