InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Fines Mortgage Servicer for RESPA Violations
On June 7, the CFPB ordered a mortgage servicer to pay up to $1.15 million in restitution for failing to provide borrowers with required foreclosure protections when handling loss-mitigation applications. The consent order alleges the servicer violated RESPA by failing to send critical information to consumers who were applying for foreclosure relief, and, in some circumstances, beginning foreclosure proceedings on borrowers who had submitted completed applications. Pursuant to the consent order, in addition to restitution, the servicer is required to provide borrowers the opportunity to pursue foreclosure relief, must cease its illegal practices, and develop policies and procedures to ensure compliance with mortgage servicing rules.
FTC Obtains Multiple Judgments Against California and Florida-Based Robocall Operations
The FTC recently entered judgments against robocalling operations based in California and Florida who engaged in activities that violated, among other things, the Telemarketing Sales Rule (TSR) and the Telemarketing Consumer Fraud and Abuse Prevention Act.
California Default Judgments. On June 2, the FTC announced a California federal district court judge approved default judgments against an individual and each of the nine corporations for which he was an “actual or de facto owner, officer or manager” (Defendants). According to the FTC’s complaint, over a period spanning approximately seven years, the Defendants allegedly initiated—or helped to initiate—“billions” of illegal robocalls without receiving written permission from consumers. Many of the calls made were to numbers on the Do Not Call (DNC) Registry to “induce the purchase of goods or services” such as auto warranties, home security systems, or search engine optimization services. Violations of the TSR cited include knowingly assisting and facilitating telemarketers engaged in abusive practices. According to the terms of the default judgments, the individual has been assessed a $2.7 million penalty, and the Defendants are permanently banned from all telemarketing activities.
Florida Consent Order. On June 5, the FTC and the Florida Attorney General entered eight stipulated orders against Orlando-based individuals and companies—18 Defendants in total—who violated the TSR, Telemarketing and Consumer Fraud and Abuse Prevention Act, and Florida’s Telemarketing and Consumer Fraud and Abuse Act for, among others things, using robocalls to sell credit card interest rate reduction programs, in addition to calling numbers on the DNC Registry. According to the joint complaint, the Defendants allegedly engaged in the following violations: (i) offered debt relief programs but failed to provide promised services; (ii) misrepresented their affiliations with consumers’ banks or credit card companies; (iii) unfairly authorized charges without obtaining consent; (iv) received fees prior to providing debt relief services; (v) failed to transmit telemarketer information; (vi) used prerecorded messages to “induce the purchase of goods or services”; and (vii) failed to make oral disclosures. The stipulated orders settle charges against all Defendants and require that they stop the “allegedly illegal conduct.” Some of the Defendants have also been issued financial penalties. Furthermore, the FTC entered a $4.8 million judgment against 12 Defendants identified as the primarily parties for the scam. This amount represents the full amount of consumer harm caused. All stipulated orders can be accessed through the FTC press release.
FDIC Releases List of Enforcement Actions Taken Against Banks and Individuals in April 2017
On May 26, the FDIC released its list of 18 administrative enforcement actions taken against banks and individuals in April. Among the consent orders on the list are civil money penalties for violations of the Flood Disaster Protection Act of 1973 and its flood insurance requirements. Also on the list are a cease and desist order and a civil money penalty assessment issued to a Louisiana-based bank (Bank) for violations of the Bank Secrecy Act (BSA), EFTA, RESPA, TILA, HMDA, and the National Flood Insurance Program. According to the cease and desist order, the FDIC Board of Directors agreed with the Administrative Law Judge’s recommended decision that the Bank engaged in unsafe or unsound practices, which warranted a cease and desist order and civil money penalty. The order also addressed a number of shortcomings identified by the Bank’s examiners, including the following: (i) the Bank’s BSA program lacked adequate internal controls to ensure compliance; (ii) it failed to provide correct and compete electronic funds transfer disclosures to consumers; (iii) borrowers were provided “untimely and improperly completed” good faith estimates; and (iv) the Bank repeatedly failed to accurately report required HMDA information to federal agencies.
An additional eight actions listed by the FDIC related to unsafe or unsound banking practices and breaches of fiduciary duty, including five removal and prohibition orders. There are no administrative hearings scheduled for June 2017. The FDIC database containing all of its enforcement decisions and orders may be accessed here.
NYDFS Fines Global Bank $350 Million for Alleged Foreign Exchange Trading Violations
On May 24, the New York Department of Financial Services (NYDFS) announced that it had assessed a $350 million fine against a global bank and its New York branch (Bank) as part of a consent order addressing allegations that the Bank’s foreign-exchange business had engaged in long-term violations of New York banking law. According to the announcement, NYDFS investigated alleged misconduct occurring between 2007 to 2013 and found the improper conduct “included collusive activity by foreign exchange traders to manipulate foreign exchange currency prices and foreign exchange benchmark rates; executing fake trades to influence the exchange rates of emerging market currencies; and improperly sharing confidential customer information with traders at other large banks.” Specifically, the violations include the following:
- collusion through on-line chat rooms to manipulate securities prices and artificially increase profits;
- improperly exchanging information about past and impending customer trades, including sharing confidential customer information via personal email, in order to maximize profits at customers’ expense;
- manipulating “the price at which daily benchmark rates were set—both from collusive market activity and improper submissions to benchmark-fixing bodies”; and
- “misleading customers by hiding markups on executed trades, including by using secretive hand signals when customers were on the phone; or by deliberately ‘underfilling’ a customer trades, in order to keep part of a profitable trade for the Bank’s own book.”
In addition to the $350 million monetary penalty, the Bank must, within 90 days of the consent order, submit written plans to (i) improve senior management’s oversight of the Bank’s compliance with New York laws and regulations governing its foreign exchange trading business; (iii) enhance internal controls and compliance to adhere to state and federal laws and regulations; and (iii) improve its compliance risk management and internal audit programs. Additionally, the Bank terminated certain employees involved in the misconduct and has agreed it will not—directly or indirectly—re-hire these individuals in the future. As part of this process, the Bank conducted an “employee accountability review” and disciplined other employees “for misconduct or supervisory failures.”
FTC Submits Annual Report on 2016 Enforcement Actions to CFPB
On June 1, the FTC announced that it submitted its 2016 Annual Financial Acts Enforcement Report to the CFPB. The report—requested by the Bureau for its use in preparing its 2016 Annual Report to Congress—covers the FTC’s enforcement activities related to compliance with Regulation Z (Truth in Lending Act or TILA), Regulation M (Consumer Leasing Act), and Regulation E (Electronic Funds Transfer Act or EFTA), as well as its initiatives to engage in research and consumer education.
According to the report, the FTC’s enforcement actions in 2016 concerning TILA involved automobile purchasing and financing, payday loans, and financing of consumer electronics. Regarding mortgage-related credit activity, the report highlights continued litigation in two cases involving mortgage assistance relief services involving “forensic audit scams.” Furthermore, the FTC continued its consumer and business education efforts on issues related to consumer credit transactions in the following areas: military lending, auto sales and financing, payday lending, marketplace lending, and consumer disclosures and testing.
Regarding the Consumer Leasing Act, the report noted the FTC had issued a final administrative consent order for deceptive advertising practices and failure to disclose key lease offer terms. The FTC also filed two federal court actions against automobile dealers. The FTC also engaged in research and policy development and educational activities in this area.
Concerning the EFTA, the FTC reported six new or ongoing cases, including four cases alleging violations in the context of “negative option” plans, in which a consumer agrees to “receive various goods or services from a company for a trial period at no charge or at a reduced price” but later incurs unauthorized recurring charges after the end of the trial period, in violation of the EFTA. The remaining two cases involved payday lending and consumer electronics financing. The FTC also engaged in rulemaking, research, policy development, and educational activities involving the EFTA.
OCC, Federal Reserve Issue Flood Insurance Violations; Reauthorization of National Flood Insurance Program Discussions Continue
During the month of May, the OCC and the Board of Governors of the Federal Reserve (Board) took action against certain banks for violations of the Flood Disaster Protection Act (FDPA) and National Flood Insurance Act (NFIA). Concurrently, House Financial Services Subcommittee Republicans circulated a package of draft legislation to reform and reauthorize the National Flood Insurance Program (NFIP), which expires at the end of September.
OCC Action. On May 19, as part of its monthly listing of enforcement actions taken against national banks, federal savings associations, and former institution-affiliated parties, the OCC announced that it had fined a Texas-based federal savings association $87,500 in April for violations of the FDPA. According to the consent order, the bank allegedly failed to “ensure the timely notification and force-placement of the requisite amounts of flood insurance on property securing loans in a special flood hazard area in which flood insurance is available under the NFIA.”
Federal Reserve Action. On May 25, the Board announced an enforcement action against a Georgia-based bank for violations of the NFIA. Although the consent order fines the bank $1.5 million, it does not specify how many violations there were or what they related to. However, the maximum civil money penalty under that law is $2,000 per violation. The NFIA has a number of requirements for banks, which include ensuring that a borrower has adequate flood insurance before originating a loan for a property in a special flood hazard area and providing notice to the borrower in a reasonable time before closing that they are required to have flood insurance.
National Flood Insurance Program Discussion. As previously covered in InfoBytes, several committees—including the Senate Committee on Banking, Housing, and Urban Affairs and the House Financial Services Committee—are discussing the reauthorization of the NFIP. On May 25, Rep. Sean Duffy (R-Wis.), Chairman of the House Financial Services Subcommittee, issued a series of reauthorization discussion drafts and summaries. The six bills (see below) included in the package would (i) reauthorize the NFIP for five years; (ii) limit annual premium increases; (iii) authorize states to voluntary create flood insurance affordability programs; (iv) eliminate the mandatory purchase requirement for commercial properties; (v) establish a private market for flood insurance; (vi) reform the flood zone mapping process to increase accuracy and fairness in mapping; (vii) require covered flood prone areas to develop plans to mitigate flood risks if they have repeated structure losses; and (viii) address fraud in the claims process.
- National Flood Insurance Program Policyholder Protection and Information Act of 2017—Discussion Draft and Summary;
- Private Flood Insurance Market Development Act of 2017—Discussion Draft and Summary;
- National Flood Insurance Program Mapping Fairness Act of 2017—Discussion Draft and Summary;
- Flood Risk Mitigation Act of 2017—Discussion Draft and Summary;
- National Flood Insurance Program Integrity Improvement Act of 2017—Discussion Draft and Summary; and
- National Flood Insurance Program Administrative Reform Act of 2017—Discussion Draft and Summary.
Duffy noted, “We’re releasing this discussion draft so that all sides can continue to provide input into protecting the program integrity of the NFIP.” He added, “The ideas stemming from this open process will ensure that everyone who needs flood insurance will have access to it while ensuring that the NFIP does not fall further into debt.”
Florida Judge Issues Temporary Injunction to Halt Debt Relief Operation
On May 25, at the request of the FTC and the State of Florida, a Southern District of Florida court issued a preliminary injunction order temporarily halting a debt relief operation that bilked millions of dollars from financially strapped consumers. According to the complaint filed by the FTC and the State of Florida, the Defendants—who operated the debt relief operation—allegedly violated the FTC Act, the FTC’s Telemarketing Sales Rule (TSR), and the Florida Deceptive and Unfair Trade Practices Act by claiming they would enroll consumers in loan forgiveness or payment reduction programs to pay, settle, or obtain dismissals of their debts and improve their credit. (See FTC v. Marcus, No. 0:17-cv-60907-CMA (S.D. Fla. May 8, 2017).) Consumers were often promised attractive interest rates and significantly lower monthly payments. However, consumers, after paying hundreds or thousands of dollars a month for promised debt-consolidation services, discovered their debts were unpaid, their accounts had defaulted, and their credit scores damaged. Several were sued by their creditors, and some were forced into bankruptcy. The FTC and the State of Florida further allege that the Defendants “falsely claimed non-profit status to appear more credible and legitimate.” The complaint further alleges that Defendants called consumers already enrolled with debt-relief providers to inform them that they were taking over the servicing of those accounts and would provide the same or similar debt relief services. Contrary to the Defendants’ promises, consumers ended up in worse financial positions.
In its preliminary injunction order, the court determined that there was good cause to believe that “immediate and irreparable harm” would result unless an injunction was issued. The order prohibits the defendants, in connection with the advertising, marketing, promotion or sale of any good or service, including any debt-relief product or service or credit product or service, from making misrepresentations about debt-relief programs or services and violating any provision of the TSR. The court also ordered a freeze of the Defendants’ assets, imposed financial reporting requirements, and appointed a temporary receiver. In a press release issued by the FTC, the Agency claims it seeks to “permanently stop the alleged illegal practices and obtain refunds for affected consumers.”
New York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities
On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action marks the first time the Attorney General’s office has taken legal action against a wireless security company for failing to protect private data. Results from an August 2016 study, conducted by independent security researchers, reveal that the tech company’s Bluetooth-enabled locks “transmitted passwords between the locks and the user’s smartphone . . . without encryption” and also contained “weak default passwords.” Both issues allowed perpetrators to intercept passwords and undo the locks. Under the terms of the settlement, the company agreed to reform its data security practices and implement a comprehensive security program.
U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement
On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:
- develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
- employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
- develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
- maintain and support software on its network for data security purposes;
- maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- segment its cardholder data environment from the rest of its computer network;
- undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
- deploy and maintain a file integrity monitoring solution; and
- hire a third-party to conduct a comprehensive security assessment.
The majority of the terms last five years.
States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”
Senators Reintroduce Truth in Settlements Act to Increase Transparency of Agency Settlements
On May 17, Senators Elizabeth Warren (D-Mass.) and James Lankford (R-Okla.) reintroduced a bipartisan bill entitled the Truth in Settlements Act of 2017 (S. 1145) to increase the transparency of major settlements reached by federal enforcement agencies. The bill—which was referred to the Committee on Homeland Security and Governmental Affairs—seeks to inform the public and hold federal regulators accountable for the true value of these settlements by requiring more accessible, detailed disclosures and “adequate information regarding the tax treatment of payments” made by companies and individuals under settlements with federal agencies. As previously covered in InfoBytes, the bill was first introduced in 2014. Sen. Warren commented that “more transparency means Congress, citizens and watchdog groups can better hold regulatory agencies accountable for enforcing laws so that everyone—even corporate CEOs—are equal under the law.” Similarly, Sen. Lankford remarked, “Taxpayers deserve an open and transparent government that is accountable to the American people.”
Notably, the proposed bill would demand more specificity and transparency by requiring federal agencies to post online, in a searchable format, a list of each covered settlement agreement, criminal or civil, with payments totaling $1 million or more. Furthermore, agencies will be required, among other things, to justify confidentiality provisions and explain whether any portion of the settlement amount is potentially tax deductible. The Senators also released a fact sheet detailing past settlements by federal agencies that have allowed tax deductions, offset credits, or designated agreements as confidential.