InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB files deceptive and abusive allegations against foreclosure relief services company and principals
On September 6, the CFPB announced a complaint filed in the U.S. District Court for the Central District of California against a foreclosure relief services company, along with the company’s president/CEO (defendants), for allegedly engaging in deceptive and abusive acts and practices in connection with the marketing and sale of purported financial-advisory and mortgage-assistance-relief services to consumers. According to the complaint, since 2014 the defendants allegedly violated the Consumer Financial Protection Act (CFPA) and Regulation O by making deceptive and unsubstantiated representations about the efficacy and material aspects of its mortgage assistance relief services, as well as making misleading or false claims about the experience and qualifications of its employees. Additionally, the Bureau alleged the defendants’ representations about their services constituted abusive acts and practices because, among other things, consumers “generally did not understand and were not in a position to evaluate the accuracy of [the defendants’] marketing representations or the quality of the mortgage-assistance-relief services that [the defendants] sold.” Moreover, the Bureau claimed the defendants further violated Regulation O by charging consumers advance fees before rendering services.
In addition, the Bureau entered a proposed stipulated final judgment and order against the company’s principal auditor for providing “substantial assistance in furtherance of [the defendants’] unlawful conduct” in violation of the CFPA and Regulation O. The proposed judgment imposes a $493,403.04 civil penalty, of which all but $5,000 is suspended due to the auditor’s limited ability to pay. The auditor is also permanently banned from providing mortgage assistance relief services or consumer financial products and services.
FTC approves settlement with software provider over FTC Act and GLBA data security failures
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
Fed issues enforcement action for flood insurance violations
On September 5, the Federal Reserve Board announced an enforcement action against a Nebraska-based bank for allegedly violating the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $37,000 penalty against the bank for an alleged pattern or practice of violations of Regulation H, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
FDIC enforcement actions include flood insurance, BSA violations
On August 30, the FDIC announced its release of a list of administrative enforcement actions taken against banks and individuals in July. The list reflects that the FDIC issued fourteen orders and one notice of charges, which include “four stipulated consent orders; four terminations of consent orders; four Section 19 orders; one stipulated civil money penalty order; one stipulated removal and prohibition order; and one notice of charges and hearing.”
Among other actions, the FDIC assessed a civil money penalty (CMP) against a Louisiana-based bank for alleged violations of the Flood Disaster Protection Act, including, among other things, (i) failing to obtain flood insurance coverage on loans at the time of origination, increase, renewal, or extension; or (ii) failing to maintain flood insurance coverage for the term of a loan secured by property located or to be located in a special flood hazard area.
The FDIC also entered into consent orders with an Oklahoma-based bank and a West Virginia-based bank relating to alleged weaknesses in their Bank Secrecy Act compliance programs.
Video-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
CFPB settles with Illinois debt collector
On August 28, the CFPB announced a settlement with an Illinois-based debt collection company to resolve allegations that the company engaged in improper debt collection tactics in violation of the Consumer Financial Protection Act and the FDCPA. Among other things, the company allegedly engaged in deceptive acts and practices by (i) threatening consumers with arrest, lawsuits, liens on their homes, and wage garnishment that the company did not plan on initiating; (ii) misrepresenting to consumers that company employees were attorneys; and (iii) informing consumers that their credit reports would be negatively affected if they failed to pay even though the company does not report consumer debts to credit-reporting agencies. While the company neither admitted nor denied the allegations, it has agreed to pay $36,878 in redress to harmed consumers and a $200,000 civil money penalty.
FTC settles with lead generator
On August 27, the FTC announced a settlement with an Illinois-based educational services company and its subsidiaries (defendants) to resolve deceptive marketing allegations in violation of the FTC Act and the Telemarketing Sales Rule. In the complaint, the FTC claimed the defendants used third-party lead generators that posed as military recruiters or job-finding services to encourage consumers to provide contact information via websites. The websites did not clearly inform the consumers that the personal information entered into online forms might be sold or used in training or educational programs. Rather, the FTC asserted that the lead generators falsely informed consumers that their information would not be shared. According to the FTC, the defendants then purchased these leads to call consumers in an attempt to enroll them in post-secondary schools, with many of these calls made to consumers on the National Do Not Call Registry. While the defendants did not carry out the deceptive practices to generate the leads, the FTC stated that the defendants established control over the marketing materials and reviewed telemarketing scripts that allegedly directed lead generators to falsely identify themselves as military recruiters. The FTC’s press release emphasized that “[t]his case demonstrates that the FTC will seek to hold advertisers liable for the deceptive or illegal practices of their affiliates, publishers, or other lead generators. We expect companies purchasing leads to implement strong vendor management programs and stay on the right side of the law.” Under the terms of the settlement, the defendants are: (i) ordered to pay $30 million; (ii) required to implement a system to review any marketing materials used by lead generators; (iii), prohibited from calling numbers on the National Do Not Call Registry without obtaining written consent; and (iv) banned from falsely stating that they represent the military or prospective employers.
7th Circuit overturns precedent, rejects restitution under Section 13(b) of FTC Act
On August 21, the U.S. Court of Appeals for the 7th Circuit held that Section 13(b) of the FTC Act does not give the FTC power to order restitution, overruling that court’s 1989 decision in FTC v. Amy Travel Service, Inc. As previously covered by InfoBytes, in June 2018, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act. The court concluded that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report. The court also found that the defendants’ websites failed to meet certain disclosure requirements imposed by the Restore Online Shopper Confidence Act. The court entered a permanent injunction and ordered the defendants to pay over $5 million in “equitable monetary relief” to the FTC.
On appeal, the 7th Circuit affirmed the district court’s liability determination, and affirmed the issuance of the permanent injunction. However, the appellate court took issue with the restitution award ordered pursuant to Section 13(b) of the FTC Act. The appellate court noted that the FTC has long viewed Section 13(b) as authorizing awards of restitution, and even acknowledged that the 7th Circuit agreed with the FTC’s position in its decision in Amy Travel. However, subsequent to the Amy Travel decision, the Supreme Court, in Meghrig v. KFC W., Inc., clarified that “courts must consider whether an implied equitable remedy is compatible with a statute’s express remedial scheme.” Applying Meghrig, the 7th Circuit noted that “nothing in the text or structure of the [FTC Act] supports an implied right to restitution in section 13(b), which by its terms authorizes only injunctions.” The panel emphasized that the FTC Act has two other provisions that expressly authorize restitution if the FTC follows certain procedures, but the current reading of Section 13(b), based on Amy Travel, allows the FTC “to circumvent these elaborate enforcement provisions and seek restitution directly through an implied remedy.” Therefore, based on the Supreme Court precedent in Meghrig, the panel concluded that Section 13(b)’s grant of authority to order injunctive relief does not implicitly authorize an award of restitution, overturning its previous decision in Amy Travel and vacating the district court’s award of restitution.
Fed issues two enforcement actions for flood insurance violations
On August 20, the Federal Reserve Board announced enforcement actions against two separate Massachusetts-based banks for allegedly violating the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The first consent order assesses a $20,000 penalty against the bank for a pattern or practice of violations of Regulation H, but does not specify the number or the precise nature of the alleged violations; the second consent order assesses a $36,000 penalty, while similarly not specifying the number or precise nature of the violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
CFPB settles student-loan suit against defunct educational institution
On August 12, the CFPB announced a settlement with a defunct for-profit educational institution to resolve allegations that the defendant engaged in unfair and abusive acts and practices in violation of the Consumer Financial Protection Act through its private student loan origination practices. As previously covered by InfoBytes, the CFPB filed a lawsuit in 2014 alleging, among other things, that the defendant offered new students short-term zero-interest loans to cover the difference between the cost of attendance and federal loans obtained by students, but when the short-term loans came due at the end of the students’ first academic year, the defendant forced borrowers into “high-interest, high-fee” private student loans knowing that borrowers could not afford them. According to the Bureau, this practice resulted in a 64 percent default rate on the loans. The terms of the proposed settlement include a $60 million judgment against the defendant as well as an injunction prohibiting the defendant from offering or providing student loans in the future.
Earlier in June, the Bureau announced a settlement with a company that managed student loans for the defendant, which includes approximately $168 million in student loan forgiveness. (See previous InfoBytes coverage here.) The company has also agreed to permanently cease enforcing, collecting, or receiving payments on any of its loans.