InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles with technology service provider on data security issues
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
CFPB argues private class action settlement interferes with its CFPA enforcement authority
On November 6, the CFPB filed an amicus brief with the Court of Appeals of Maryland in a case challenging a private class action settlement against a structured settlement company, which purports to “release the Bureau’s claims in a pending federal action, to enjoin class members from receiving benefits from the Bureau’s lawsuit, and to assign any benefits the Bureau might obtain for class members to the class-action defendants.” As previously covered by InfoBytes, in 2017, the U.S. District Court for the District of Maryland allowed a UDAAP claim brought by the CFPB to move forward against the same structured settlement company, where the Bureau alleged the company employed abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. A similar action was also brought by the Maryland attorney general against the company. In addition to the state and federal enforcement actions, the plaintiffs filed a private class action against the company, and a trial court approved a settlement. The Court of Special Appeals reversed the lower court’s approval of the settlement, concluding that it “interferes with the [state’s] and Bureau’s enforcement authority.” The company appealed.
In its brief to the Maryland Court of Appeals, the Bureau argues that the Court of Special Appeals decision should be affirmed because the settlement provisions “threaten to interfere with the Bureau’s authority under the [Consumer Financial Protection Act] in two significant ways.” Specifically, the Bureau argues that the settlement (i) could interfere with the Bureau’s statutory mandate to remediate consumers harmed through the Civil Penalty Fund; and (ii) would interfere with the Bureau’s authority to use restitution to remediate consumer harm. The Bureau states that “the risk of windfalls to such wrongdoers could force the Bureau to decline to award Fund payments to victims,” and would “threaten to offend basic principles of equity.”
DOJ charges short-sale negotiators with fraud
On November 8, the DOJ announced that it charged the principals and co-founders (collectively, “defendants”) of a mortgage short sale assistance company with allegedly defrauding mortgage lenders and investors out of half a million in proceeds from short sale transactions. The DOJ also alleged the defendants’ actions defrauded Fannie Mae, Freddie Mac, and HUD. According to the announcement, from 2014 to 2017, the defendants negotiated with lenders for approval of short sales in lieu of foreclosure, and falsely claimed during settlement that the lenders had agreed to pay loss mitigation service fees from the proceeds of short sales. The defendants allegedly obtained around 3 percent of the short sale price from the settlement agent, which was separate from fees paid to real estate agents and closing attorneys, among others. In order to further deceive lenders, the defendants would then file fabricated documents to justify or conceal the additional fees being paid to the company. The defendants were charged with conspiracy to commit wire fraud, and one co-founder was also charged with aggravated identity theft.
FDIC, bank reach RESPA settlement
On November 6, the FDIC announced that a Washington-based bank agreed to settle allegations that it violated RESPA by paying fees to real estate brokers and homebuilders in exchange for mortgage business referrals. Section 8(a) of RESPA “prohibits giving or accepting a thing of value for the referral of settlement service involving a federally related mortgage loan.” According to the FDIC, the bank’s discontinued mortgage banking line allegedly entered into arrangements with real estate brokers and homebuilders to co-market services through online platforms. The FDIC also alleged that the bank’s mortgage banking business rented desk space in brokers’ and homebuilders’ offices, which resulted in the payment of fees by the bank for referrals of mortgage loan business. The FDIC further stated, “While co-marketing arrangements and desk rental agreements are permissible where the fees paid bear a reasonable relationship to the fair market value of marketing or rental costs, such arrangements and agreements violate RESPA when the amounts paid exceed fair market value and the excess is for referrals of mortgage business.” The bank, which has neither admitted nor denied the charges, has agreed to pay a $1.35 million civil money penalty under the terms of the settlement order, and has terminated all of its co-marketing and desk rental agreements.
FTC, Utah file action against real estate seminar company
On November 5, the FTC and the Utah Division of Consumer Protection filed a complaint in the U.S. District Court for the District of Utah against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to purchase real estate training packages costing thousands of dollars. According to the complaint, the defendants violated the FTC Act, the Telemarketing Sales Rule, and Utah state law by marketing real estate training packages with false claims through the use of celebrity endorsements. The defendants’ marketing materials allegedly told consumers, among other things, that they would (i) receive strategies for making profitable real estate deals during seminars included in the packages; and (ii) learn how to access wholesale or deeply discounted properties. The complaint argues, however, that the promises were false and misleading, as, among other things, the seminars promoted additional workshops costing more than $1,100 to attend where consumers largely received general information about real estate investing, along with promotions for “advanced training” costing tens of thousands of dollars. In addition, the discounted properties were typically sold or brokered to consumers by the defendants at inflated prices with concealed markups, the complaint alleges. Among other things, the FTC and Utah Division of Consumer Protection seek monetary and injunctive relief against the defendants.
FTC offers guidance for social media influencer disclosures
On November 5, the FTC released advertising disclosure guidance for online influencers, titled “Disclosures 101 for Social Media Influencers,” which outlines the FTC’s rules for disclosure of sponsored endorsements and provides influencers with tips and guidance covering effective and ineffective disclosures. The guidance reminds influencers that (i) they should disclose any financial, employment, personnel, or family relationship with the brand; (ii) disclosures should be “hard to miss,” by being placed on pictures, stated in the videos, and repeated throughout livestreams; and (iii) language in disclosures should be simple and clear, and in the same language as the endorsement itself.
For more information on the FTC’s activity covering testimonials and social media influencers, review the recent Buckley Insight, which summarizes several FTC enforcement actions involving online reviews and social media and provides key takeaways for companies considering online advertising and social media campaigns.
District Court orders millions in restitution and civil penalties against two foreclosure relief companies
On November 4, the U.S. District Court for the Western District of Wisconsin ordered restitution and disgorgement, civil penalties, and permanent injunctive relief in an action brought by the CFPB against two former foreclosure relief companies and their principals (collectively, “defendants”) for violations of Regulation O. As previously covered by InfoBytes, in 2014, the CFPB, FTC, and 15 state authorities took action against foreclosure relief companies and associated individuals, including the defendants, alleging the use of deceptive marketing tactics to obtain business from distressed borrowers. The CFPB filed three suits, the FTC filed six, and the state authorities collectively initiated 32 actions. Specifically, the CFPB alleged that the companies and individuals (i) collected fees before obtaining a loan modification; (ii) inflated success rates and likelihood of obtaining a modification; (iii) led borrowers to believe they would receive legal representation; and (iv) made false promises about loan modifications to consumers, in violation of Regulation O, formerly known as the Mortgage Assistance Relief Services (MARS) Rule. Among other things, the court order holds company one and its principals jointly and severally liable for over $18 million in restitution, while company two and its same principals are jointly and severally liable for nearly $3 million in restitution. Additionally, the court ordered civil penalties totaling over $37 million against company two and four principals.
Buckley Insights: FTC focusing on testimonials and social media influencers
The FTC has stepped up its advertising related enforcement activity in recent months, particularly focusing on companies that fail to clearly and conspicuously disclose underlying connections between testimonial providers and product sellers. Summarized below are several recent FTC enforcement actions involving online reviews and social media, as well as some key takeaways for companies considering online advertising and social media campaigns.
Recent FTC Enforcement Actions
First, in its complaint against a skincare company, the FTC alleged that the company misled consumers by posting reviews written by company employees. Specifically, the FTC’s allegations included assertions that (i) product reviews posted on a retailer’s website were not “independent experiences or opinions of impartial ordinary users of the products” and therefore, were false or misleading under Section 5 of the FTC Act; and (ii) the failure to disclose the reviews were written by the owner or employees constitutes a deceptive act or practice under Section 5 of the FTC Act, because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.”
In a 3-2 vote the Commission approved an administrative consent order, which notably does not include any monetary relief for consumers. The order prohibits the company from misrepresenting the status of an endorser, which includes misrepresentations that the endorser or reviewer is an “independent or ordinary user of the product.” requires the company and owner to “clearly and conspicuously, and in close proximity to that representation, any unexpected material connection between such endorser and (1) any Respondent; or (2) any other individual or entity affiliated with the product.”
In dissent, two Commissioners objected to the lack of monetary relief, stating, “[t]hat monetary relief can be difficult to calculate should not deter the FTC from seeking it. When the agency’s estimates are uncertain, the Commission sometimes demands no monetary relief whatsoever, which leads to under-deterrence of blatant fraud and dishonesty. This needs to change.”
Second, the FTC also charged a now-defunct company and its owner with selling social media followers and subscribers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients, as well as to actors, athletes, and others who wanted to increase their social media appeal. According to the FTC, the company “provided such users of social media platforms with the means and instrumentalities for the commission of deceptive acts or practices,” in violation of Section 5(a) of the FTC Act.
The Commission unanimously voted to file the proposed court order, which bans the company from selling or assisting others in selling “social media influence.” The order, which was later approved by a federal district court, imposes a $2.5 million monetary judgment against the company owner, but suspends the majority upon the payment of $250,000.
In a business-focused blog post released in conjunction with the enforcement actions noted above, the FTC:
- Reminds marketers that when “people at the helm” are “calling the illegal shots,” the FTC will name them in their individual capacities in actions;
- Emphasizes that companies must instruct their employees and agents to clearly disclose in reviews any material connection to the product; and
- States that the truth-in-advertising provisions of the FTC Act apply to companies that claim to be “strictly B2B,” if they are providing others with the means and instrumentalities for deception.
Relatedly, in February 2019, the FTC approved final consent orders with two marketing companies for, among other things, misrepresenting paid endorsements as independent consumer opinions. The companies allegedly hired Olympic athletes to endorse a mosquito repellent on social media and formatted advertisements to appear as independent statements of impartial publications. The FTC argued that the company failed to disclose, or disclose adequately, that (i) the Olympians were paid to endorse the mosquito repellent; and (ii) the online consumer reviews were by individuals who were reimbursed for buying the product and included statements by the owner and employees of the public relations firm hired to promote the product.
The final consent orders (here and here) require that each company to cease the misrepresentations and notify future endorsers of their responsibility “to disclose clearly and conspicuously, and in close proximity to the endorsement, in any print, radio, television, online, or digital advertisement or communication, the endorser’s unexpected material connection to any Respondent or any other individual or entity affiliated with the product or service.”
Key Takeaways for Online Advertising and Social Media Campaigns:
- These complaints and consent orders incorporate the basic concepts of the FTC’s Endorsement Guides, which address how the prohibition against deceptive practices in section 5 of the FTC Act applies to endorsements and testimonials in advertising. As an FTC blog post puts it:
Suppose you meet someone who tells you about a great new product. She tells you it performs wonderfully and offers fantastic new features that nobody else has. Would that recommendation factor into your decision to buy the product? Probably.
Now suppose the person works for the company that sells the product – or has been paid by the company to tout the product. Would you want to know that when you’re evaluating the endorser’s glowing recommendation? You bet. That common-sense premise is at the heart of the Federal Trade Commission’s (FTC) Endorsement Guides.- The dissenting commissioners in the skincare product case suggested that the FTC should have obtained “monetary relief” for consumers rather than simply order the company to comply with the law in the future, implying that the company should have been required to make refunds to consumers. The FTC doesn’t have the power to obtain civil penalties for deceptive practices unless the practice violates a specific regulation or order, but many states do have that power.
- The FTC Endorsement Guides don’t have the force of law of a formal regulation but they influence enforcement decision of not only the FTC, but also other federal and state and local agencies. Some of the principles in the Guides have very wide application. For example:
- An endorsement “relating the experience” of one or more people is considered to be a representation that their experience is typical of what most people can achieve with a product or service.
- For example, an ad in which a consumer says “I saved $100 a month on my mortgage by going through XYZ Mortgage” is deemed to be a claim that most consumers will experience the same result.
- A statement that “results not typical,” or even “based on the experiences of a few people—you probably won’t have similar results” usually won’t cure the deceptive impact of a claim by an endorser that he or she achieved certain results, unless the advertiser can provide empirical testing “demonstrating that the net impression of its advertisement with such a disclaimer is non-deceptive.”
- As with any advertising claim, the implied claim of typicality in an endorsement must be substantiated, i.e., the advertiser must have data showing that the results actually are typical.
***
If you have any questions about the enforcement actions noted above or marketing and advertising related issues, please contact a Buckley attorney with whom you have worked in the past.
FDIC releases September enforcement actions
On October 25, the FDIC announced its release of a list of administrative enforcement actions taken against banks and individuals in September. According to the press release, the FDIC issued 24 orders, which include “one consent order; five removal and prohibition orders; six assessments of civil money penalty; three voluntary terminations of deposit insurance; six section 19 orders; and three terminations of orders of restitution.”
Among other actions, the FDIC assessed separate civil money penalties (CMPs) against four banks for alleged violations of the Flood Disaster Protection Act:
- New Jersey-based bank CMP: Failure to (i) notify borrowers that they should obtain flood insurance; and (ii) follow force-placement flood insurance procedures;
- Wisconsin-based bank CMP: Failure to (i) maintain flood insurance coverage for the term of a loan; (ii) follow force-placement flood insurance procedures; and (iii) provide written notice to borrowers concerning flood insurance coverage prior to extending, increasing, or renewing a loan;
- Wisconsin-based bank CMP: Failure to (i) follow escrow requirements for flood insurance; and (ii) provide borrowers with notice of the availability of federal disaster relief assistance;
- Wisconsin-based bank CMP: Failure to (i) obtain flood insurance coverage on loans at the time of origination; (ii) obtain adequate flood insurance; (iii) follow escrow requirements for flood insurance; (iv) follow force-placement flood insurance procedures; and (v) provide borrowers with notice of the availability of federal disaster relief assistance.
The FDIC also assessed a CMP against an Oregon-based bank for allegedly violating RESPA and the TCPA by (i) placing telemarketing calls to consumers listed on the Do-Not-Call registry; and (ii) using an automated dialing system to send pre-recorded calls or text messages to consumers’ cell phones.
Additionally, the FDIC entered a notice of charges and hearing against a Georgia-based bank relating to alleged weaknesses in its Bank Secrecy Act compliance program.
OCC releases September and October enforcement actions
On October 18, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include civil money penalty orders, prompt corrective action directives, removal and prohibition orders, and terminations of existing enforcement actions against individuals and banks. Included among the actions is a $100,000 civil money penalty issued against a Louisiana-based bank for an alleged pattern or practice of violations of the Flood Disaster Protection Act and its implementing regulations. The list also includes a $30 million consent order issued against a national bank for allegedly violating the statutory holding period for other real estate owned (previously covered by InfoBytes here).