Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • SEC Reaches Settlement With Investment Adviser for Allegedly Overcharging Clients

    Securities

    On September 14, the SEC announced a settlement in an administrative proceeding against a national bank’s investment adviser subsidiary that allegedly overcharged more than 4,500 clients a total of over $1.1 million for costlier mutual fund share classes that carried 12b-1 marketing and distribution fees when shares of the same mutual funds were available without such fees. The SEC alleged that, from at least December 2011 through approximately June 2015, the investment adviser breached its fiduciary duties, made inadequate disclosures regarding conflicts of interest between the investment adviser and its representatives (who ultimately shared in the gains from the 12b-1 fees as compensation), and did not update its compliance policies and procedures to require its investment adviser representatives to identify or evaluate available share classes. The order cites violations of the Investment Advisers Act of 1940, as well as Rule 206(4)-7. While the investment adviser has neither admitted nor denied the allegations, it has, among other things, agreed to pay a penalty of more than $1.1 million, will provide disgorgement plus interest on any 12b-1 fees that have not yet been refunded to customers, and has been censured.

    Securities SEC Investment Adviser Settlement Enforcement

  • CFPB’s Summer Edition of Supervisory Highlights Discloses Findings Across Many Financial Services Areas

    Consumer Finance

    On September 12, the CFPB released its summer 2017 Supervisory Highlights, which outlines its supervisory and oversight actions in areas such as auto loan servicing, credit card account management, debt collection, deposit account supervision, mortgage origination and servicing, remittances, service provider programs, short-term small-dollar lending, and fair lending. According to the Supervisory Highlights, recent supervisory resolutions have “resulted in total restitution payments of approximately $14 million to more than 104,000 consumers during the review period” between January 2017 and June 2017.

    As examples, in the area of auto loan servicing, examiners discovered vehicles were being repossessed even though the repossession should have been cancelled. Coding errors, document mishandling, and failure to timely cancel the repossession order were cited causes. Regarding fair lending examination findings, the CFPB discovered, in general, “deficiencies in oversight by board and senior management, monitoring and corrective action processes, compliance audits, and oversight of third-party service providers.” Examiners also conducted ECOA Baseline Reviews on mortgage servicers and discovered weaknesses in servicers’ fair lending compliance management systems. Findings in other areas include the following:

    • consumers were provided inaccurate information about when bank checking account service fees would be waived, and banks misrepresented overdraft protection;
    • debt collectors engaged in improper debt collection practices related to short-term, small-dollar loans, including attempts to collect debts owed by a different person or contacting third parties about consumers’ debts;
    • companies overcharged mortgage closing fees or wrongly charged application fees that are prohibited by the Bureau’s Know Before You Owe mortgage disclosure rules; and
    • borrowers were denied the opportunity to take full advantage of the mortgage loss mitigation options, and mortgage servicers failed to “exercise reasonable diligence in collecting information needed to complete the borrower’s application.”

    The Bureau also set forth new examination procedures for HMDA data collection and reporting requirements as well as student loan servicers, in addition to providing guidance for covered persons and service providers regarding pay-by-phone fee assessments.

    Consumer Finance CFPB Enforcement Auto Finance Credit Cards Debt Collection Fair Lending ECOA Compliance Mortgage Origination Mortgage Servicing HMDA Student Lending Loss Mitigation

  • FTC Announces First EU-U.S. Privacy Shield Enforcement Actions Over False Certification Claims

    Privacy, Cyber Risk & Data Security

    On September 8, the FTC announced settlements with three companies over allegations that they falsely claimed certification to take part in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. These settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions. In July 2016, the EU finalized and adopted the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations. (See previous InfoBytes summary here.) In separate complaints, the FTC alleges that a human resources software company, a printing services company, and a company that manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield without having completed the certification process. According to the terms of the settlements as summarized in the FTC press release, the companies are all banned from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.”

    Privacy/Cyber Risk & Data Security Enforcement FTC Settlement

  • CFPB Issues Consent Order to Online Lead Aggregator, Settles Separate 2016 Lead Aggregator Action

    Consumer Finance

    On September 6, the CFPB ordered an online loan lead aggregator to pay $100,000 for its alleged involvement in selling leads to small-dollar lenders and installment loan purchasers who then extended loans that were void in whole or in part under the borrower’s state laws. The consent order alleges that the California-based company knew the state of residence for each lead sold, yet “regularly sold [l]eads for consumers located in states where the resulting loan was void or the lender had no legal right to collect the principal, interest, or fees from the consumer based on state-licensing requirements or interest-rate limits.” The order also claims that, because the company knows the identity of each purchaser prior to the sale of the loan, it should also know (i) whether the purchaser is likely to comply with the state laws, or (ii) whether the leads it sells will result in loans exceeding state usury interest rate limits or fail to be in compliance with the consumer’s state laws. Pursuant to the consent order, in addition to the $100,000 civil money penalty, the company must (i) “undertake reasonable efforts to ensure” leads do not result in loans that are void under the laws of the consumer’s state; (ii) obtain, among other things, copies of licenses required by each state for its end users “where the absence of such a license would render a loan void in whole or in part under the laws of that state”; (iii) implement procedures for reviewing loans that result from its leads to ensure compliance with privacy and other laws; (iv) establish a policy to prohibit lenders from making loans that are likely to result in loans that are void under the consumer’s state-licensing requirements or interest-rate limits and “refrain from conveying” leads for such loans; and (v) submit registration for the Bureau’s Company Portal.

    On the same day, the CFPB also entered into a $250,000 settlement with the company’s president and primary owner for his alleged actions cited in a 2016 complaint involving his role as the operator of a different online lead aggregator. (See previous InfoBytes summary here.) In addition to the civil money penalty, the president has agreed to (i) make efforts to guarantee that all loans offered to consumers are valid in the states where they live; (ii) ensure that there is no misleading, inaccurate, or false information contained in the consumer-facing content of all lead generators from which leads are accepted; and (iii) require all lead generators to “prominently disclose to consumers an accurate description” of how leads will be received, conveyed, and processed. The president has neither admitted nor denied the CFPB’s allegations.

    Consumer Finance CFPB Payday Lending Data Collection / Aggregation Enforcement Settlement

  • FTC Announces Two Separate Settlements to Resolve Allegedly Deceptive Telemarketing Schemes

    Consumer Finance

    On September 1, the FTC issued a press release announcing a settlement with a Utah-based operation and its owner (Defendants) to resolve allegations that the company had created merchant accounts to help telemarketers process consumer credit card transactions in violation of the Federal Trade Commission Act (FTC Act) and the Telemarketing Sales Rule (TSR). According to the complaint, Defendants nominated individuals to serve as “principals” of straw companies, which then were used to open merchant accounts to assist telemarketers who did not meet the requirements or standards for opening the accounts on their own. The telemarketers, in turn, allegedly deceived consumers by making false promises regarding business opportunities that they claimed would generate substantial income, and processed credit card payments from consumers using the straw company merchant accounts for the allegedly “worthless opportunities.” Under the terms of the order, Defendants are permanently banned from the payment processing business, including acting as an independent sales organization or sales agent, and must pay a judgment of more than $3 million. The FTC suspended the judgment due to the Defendants’ inability to pay, but noted that it “will become due immediately if [Defendants] are found to have misrepresented their financial condition.”

    Separately on August 31, the FTC announced that a default judgment had been issued in a pending action brought against the operators of a deceptive telemarketing scheme who allegedly targeted Spanish-speaking consumers by pretending to be affiliated with the Peruvian government and deceived consumers by giving the impression that the calls were from emergency responders or by people the consumers had provided as references. The allegations, which violated the FTC Act and the TSR, claimed that consumers were presented opportunities to participate in language courses at discounted prices and were misled about prizes they had won. When consumers declined to participate or cancelled delivery of the prizes, the telemarketers made “false and threatening” claims of “legal or financial consequences,” allegedly posing as lawyers or government officials. Under the terms of the default judgment, the telemarketers (i) are ordered to pay $6.3 million as equitable monetary relief; (ii) are banned from telemarketing activities; and (iii) prohibited from misrepresenting material facts.

    Consumer Finance FTC Enforcement Telemarketing Sales Rule FTC Act Settlement

  • FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security

    Privacy, Cyber Risk & Data Security

    On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”

    According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.

    The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.

    Privacy/Cyber Risk & Data Security State Attorney General Enforcement Settlement FTC Act

  • CFPB Proposes Permanent Ban on Credit Repair Company for Misleading Consumers, Illegal Fees

    Consumer Finance

    On August 30, the CFPB and a credit repair company requested a California federal court to enter a final judgment and order to end the CFPB’s lawsuit against the company. The Bureau claimed that the company had violated the Consumer Financial Protection Act of 2010 and the Telemarketing Sales Rule among other things. According to a CFPB press release, the company “[c]harged illegal advance fees”; “[m]isled consumers about the benefits of its credit repair services”; “[m]isrepresented the costs of its services”; and “[f]ailed to disclose limits on ‘money-back guarantee.’” As previously reported in InfoBytes, the CFPB filed similar proposed final judgments against other credit repair companies for largely the same reasons.

    In addition to permanently prohibiting the defendant from working in the credit repair industry, the proposed settlement also requests a civil money penalty of $150,000.

    Consumer Finance CFPB Telemarketing Sales Rule CFPA Enforcement

  • FTC Enters Consent Order with Final Defendant in Alleged 2015 Debt Collection Scheme

    Consumer Finance

    On August 30, the FTC announced a settlement banning the final defendant who had participated in a debt collection scheme from debt collection activities. The settlement stems from a 2015 action against three groups of defendants who allegedly violated the FTC Act and the Fair Debt Collection Practices Act (FDCPA) by engaging in the following activities, among others: (i) attempting to collect debts consumers claimed they did not owe; (ii) impersonating law enforcement to threaten non-compliant consumers with arrests and lawsuits; (iii) harassing friends, family members, and employees in an attempt to collect debts; and (iv) failing to identify themselves as debt collectors. (See previous InfoBytes summary here.) In 2016, the FTC reached separate settlements (here and here) against two of the three groups of debt collectors. In addition to banning the final defendant from debt collection activities, the 2017 action also imposes a $9.39 million judgment to be suspended due to the defendant’s inability to pay. However, the judgment will become immediately due if the defendant is found to have misstated his financial condition.

    Consumer Finance Debt Collection FTC Enforcement UDAAP FDCPA FTC Act

  • FTC Files Complaint Against Debt Collection Operation for FTC Act and FDCPA Violations

    Consumer Finance

    On August 29, the FTC issued a press release announcing charges against a North Carolina-based debt collection business (defendants) for allegedly using a variety of “trade names” that sound like law firms to threaten individuals if they failed to pay debt they did not actually owe or that the defendants had no right to collect. According to the complaint, the defendants violated the FTC Act by making false, unsubstantiated, or misleading representations regarding debt owed on payday loans or other debts and threatening legal action. Additionally, the defendants allegedly violated the Fair Debt Collection Practices Act by: (i) communicating with consumers “at times or places known or which should be known to be inconvenient to the consumer” or “at the consumer’s place of employment when Defendants knew or had reason to know that the consumer’s employer prohibits the consumer from receiving such communications”; (ii) engaging in “unlawful third-party communications” without obtaining prior consumer consent; (iii) participating in harassing and abusive collection practices; (iv) making false, deceptive, or misleading representations, including by withholding the true status of the debt, impersonating attorneys, threatening legal action, and failing to disclose they were debt collectors; and (v) failing to provide consumers written verification of their debt within the required time frame. A federal judge in the U.S. District Court for the Western District of North Carolina has temporarily restrained and enjoined the defendants’ alleged illegal practices and frozen their assets.

    Consumer Finance Debt Collection FTC Enforcement UDAAP FDCPA FTC Act

  • FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations

    Privacy, Cyber Risk & Data Security

    On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule.  In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.

    Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”

    The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.

    Privacy/Cyber Risk & Data Security FTC Enforcement Gramm-Leach-Bliley Regulation P Safeguards Rule FTC Act

Pages

Upcoming Events