InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Warren and Brown ask CFPB for breakdown on fair lending enforcement
On November 25, Senators Elizabeth Warren (D-Mass) and Sherrod Brown (D-Ohio) wrote to CFPB Director Kathy Kraninger requesting a breakdown of how the Bureau enforces fair lending laws in light of recent allegations brought against a global financial services company that reportedly offered lower credit limits to women than to similarly creditworthy men. According to the Senators, the allegations raise questions as to whether a pattern of sex discrimination exists in the underwriting of the credit product and “underscore the importance of the CFPB adequately monitoring the lending practices of financial institutions . . . that are new to the consumer lending space.” The Senators also expressed concern that adjustments to the structure of the Bureau under President Trump’s administration have affected its “commitment to enforcing fair lending laws and carrying out its statutory responsibilities.” (Previous InfoBytes coverage here.) The Senators stated: “We’re concerned that this new structure, where many offices have varying degrees of authority, may allow new potentially discriminatory products to get to market without adequate oversight.” Specifically, the Senators asked the Bureau to respond to the following questions by December 9: (i) how does the Bureau “prioritize and evaluate risk when determining which financial institutions to examine for compliance with fair lending laws”; (ii) has the Bureau ever conducted a supervisory examination of the global financial services company’s fair lending compliance management system; (iii) have changes made to the Bureau’s structure affected its fair lending enforcement abilities; and (iv) are the Bureau’s standards used to determine violations of ECOA different under Director Kraninger.
CFPB settles with two military loan companies
On November 25, the CFPB announced a settlement with two companies that originated and serviced travel-related loans for military servicemembers and their families. According to the consent order with the lender and its principal, the lender (i) charged fees to customers who obtained financing, at a higher rate than those customers who paid in full, but failed to include the fee in the finance charge or APR; (ii) falsely quoted low monthly interest rates to customers over the phone; and (iii) failed to provide the required information about the terms of credit and the total of payments in violation of TILA and the TSR. The consent order prohibits future lending targeted to military consumers and requires the lender and its principal to pay a civil money penalty of $1. The order also imposes a suspended judgment of almost $3.5 million, based on an inability to pay.
In its consent order against the servicer, the Bureau asserts the servicer engaged in deceptive practices by overcharging servicemembers for debt-cancellation products and, in violation of the FCRA’s implementing Regulation V, never established or maintained written policies and procedures regarding the accuracy of information furnished to credit reporting agencies. The consent order issues injunctive relief and requires the servicer to (i) pay a $25,000 civil money penalty; (ii) provide redress to consumers who were allegedly overcharged for the debt-cancellation product; (iii) pay over $54,000 in restitution to borrowers with no outstanding balance on their loans and issue additional account credits to borrowers with outstanding balances; and (iv) establish reasonable policies and procedures for accurate reporting to consumer reporting agencies.
CFPB reaches $8.5 million settlement with background screening company
On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.
New York considers privacy legislation broader than the CCPA
On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act, SB S5642 (the Act). The Act was introduced in May and seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York State or produce products or services that are intentionally targeted to residents of New York State. The Act contains different provisions than the California Consumer Privacy Act (CCPA), which is set to take effect on January 1, 2020 (visit here for InfoBytes coverage on the CCPA). Highlights of the Act include:
- Fiduciary Duty. Most notably, the Act requires that legal entities “shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Specifically, the Act states that personal data of consumers “shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent.” The Act imposes a duty of care on every legal entity, or affiliate of a legal entity, with respect to securing consumer personal data against privacy risk and requires prompt disclosure of any unauthorized access. Moreover, the Act requires that legal entities enter into a contract with third parties imposing the same duty of care for consumer personal data prior disclosing, selling, or sharing the data with that party.
- Consumer Rights. The Act requires covered entities to provide consumers notice of their rights under the Act and provide consumers with the opportunity to opt-in or opt-out of the “processing of their personal data” using a method where the consumer must clearly select and indicate their consent or denial. Upon request, and without undue delay, covered entities are required to correct inaccurate personal data or delete personal data.
- Transparency. The Act requires covered entities to make a “clear, meaningful privacy notice” that is “in a form that is reasonably accessible to consumers,” which should include: the categories of personal data to be collected; the purpose for which the data is used and disclosed to third parties; the rights of the consumer under the Act; the categories of data shared with third parties; and the names of third parties with whom the entity shares data. If the entity sells personal data or processes data for direct marketing purposes, it must disclose the processing, as well as the manner in which a consumer may object to the processing.
- Enforcement. The Act defines violations as an unfair or deceptive act in trade or commerce, as well as, an unfair method of competition. The Act allows for the attorney general to bring an action for violations and also prescribes a private right of action on any harmed individual. Covered entities are subject to injunction and liable for damages and civil penalties.
According to reports, state lawmakers at the November hearing indicated that federal requirements would be “the best scenario,” but in the absence of Congressional movement in the area, one state senator noted that the state legislators must “assure [their] constituents that [the state legislature is] doing everything possible to protect their privacy.” Witnesses expressed concern that the Act would be placing too many new requirements on businesses that differ from what other states have already enacted, and encouraged more consistent baseline standards for compliance instead of a patchwork approach. Some witnesses expressed specific concern with the opt-in requirement for the collection and use of consumer data, noting that waiting on consumers to opt-in, as opposed to just opting-out, makes compliance difficult to administer. Lastly, many witnesses were displeased about the broad private right of action in the Act, but consumer groups praised the provision, noting that the state attorney general does not have the resources to regulate and enforce against all the data collection and sharing in the state.
DOJ again clarifies FCPA enforcement policy
On November 21, the DOJ updated its FCPA Corporate Enforcement Policy to clarify ways in which companies can voluntarily disclose information in an effort to receive leniency from the Department in foreign bribery situations. First, a company does not need to have a complete picture of a possible violation when it first shares information with the DOJ; rather, the company should “make clear that it is making its disclosure based upon a preliminary investigation.” Next, the agency expects a company to disclose “where the company is aware of relevant evidence not in the company’s possession,” simplifying the requirement which previously called for disclosure of “opportunities for the department to obtain relevant evidence not in the company’s possession.” Finally, in the course of a merger or acquisition “an acquiring company that discloses misconduct may be eligible for a declination, even if aggravating circumstances existed as to the acquired entity.”
As previously covered by InfoBytes, the policy was last amended in March (March 2019 version available here) to, among other things, clarify the Department’s position on the use of ephemeral messaging apps by companies seeking full cooperation credit under the policy.
SEC monetary sanctions in whistleblower program top $2 million for 2019
On November 15, the SEC announced it issued its fiscal year 2019 whistleblower program annual report to Congress, which states that since the program’s inception, the SEC has ordered over $2 billion in total monetary sanctions in enforcement actions that resulted from information brought by meritorious whistleblowers. As for FY 2019, the SEC received over 5,200 whistleblower tips, with over 300 tips relating to cryptocurrencies, and awarded approximately $60 million in whistleblower awards to eight individuals. Since the program’s inception, the SEC has awarded approximately $387 million to 67 whistleblowers. The report acknowledges that FY 2019 was an “unusual year” due to the lapse in appropriations, referring to the government shutdown from the end of December 2018 through most of January 2019, and includes a summary of the six actions leading to the eight awards of FY 2019. The report notes that the agency anticipates final rules to be adopted in FY 2020 related to the July 2018 proposed amendments to the whistleblower program (covered by InfoBytes here). The proposed amendments, among other things, address the Supreme Court ruling in Digital Realty Trust, Inc. v. Somers (covered in a Buckley Special Alert) and authorize the SEC to adjust an award’s percentage as appropriate to advance the goals of rewarding and incentivizing whistleblowers.
On the same day, the SEC announced a collective award of over $260,000 to three whistleblowers who submitted a joint tip “alerting the agency to a well-concealed fraud targeting retail investors,” which led to a successful enforcement action. The order does not provide any additional details regarding the whistleblower or the company involved in the enforcement action. With this new action, the SEC has now awarded approximately $387 million to 70 whistleblowers.
District Court enters stipulated final judgment against debt collector
On November 15, the U.S. District Court for the Northern District of Georgia entered a stipulated final judgment and order to resolve allegations concerning one of the defendants cited in a 2015 action taken against an allegedly illegal debt collection operation. As previously covered by InfoBytes, the CFPB claimed that several individuals and the companies they formed attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleged uses of harassing and deceptive techniques in violation of the CFPA and FDCPA, and named certain payment processors used by the collectors to process payments from consumers. While the claims against the payment processors were dismissed in 2017 (covered by InfoBytes here), the allegations against the outstanding defendants remained open. The November 15 stipulated final judgment and order is issued against one of the defendants who—as an officer and sole owner of the debt collection company that allegedly engaged in the prohibited conduct—was found liable in March for violations of the FDCPA, as well as deceptive and unfair practices and substantial assistance under CFPA.
Among other things, the defendant, who neither admitted nor denied the allegations except as stated in the order, is (i) banned from engaging in debt collection activities; (ii) permanently restrained and enjoined from making misrepresentations or engaging in unfair practices concerning consumer financial products or services; and (iii) prohibited from engaging in business ventures with the other defendants; using, disclosing or benefitting from certain consumer information; or allowing third parties to use merchant processing accounts owned or controlled by the defendant to collect consumer payments. The stipulated order requires the defendant to pay a $1 civil money penalty and more than $5.2 million in redress, although full payment of the judgment is suspended upon satisfaction of specified obligations and the defendant’s limited ability to pay.
Washington AG settles deceptive practices allegations with office supply company
On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)
Massachusetts AG reaches $4 million settlement with debt collector
On November 11, the Massachusetts attorney general announced a $4 million settlement with a Virginia-based debt collection company to resolve allegations that it engaged in deceptive and unfair debt collection practices. The AG’s release stated that an assurance of discontinuance filed in the Suffolk Superior Court alleges that the company “aggressively” collected on purchased defaulted loans, credit card accounts, car loans, and other consumer debts by using a network of in-house collectors who contacted consumers through multiple letters and phone calls, and used law firms to take consumers to court. An investigation revealed that the company “routinely pursued consumers with only exempt sources of income such as social security, social security disability, and supplemental security income,” and that consumers who informed the company of their reliance on such income “were pressured by the company to pay money they should have been entitled to keep.” Among other things, the AG’s office claimed that the company also (i) collected on debts it could not substantiate; (ii) failed to verify whether the consumer information it reported to credit reporting agencies was accurate; (iii) ignored the statute of limitations when collecting debt; and (iv) failed to notify consumers of their rights to request proof of a debt and to provide proof of a debt upon request. In addition to the $4 million payment, the company has agreed to stop collecting from consumers using only exempt income, will obtain documentation that debts are valid before collecting, will inform consumers when debt is beyond the statute of limitations, and will refrain from calling consumers more than twice in a seven-day period. The company also agreed to stop reporting debts it cannot substantiate to credit reporting agencies and to investigate consumer credit report accuracy disputes.
FTC settles with technology service provider on data security issues
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.