Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 22, 2023, the SEC announced awards totaling more than $28 million to seven whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, five of the whistleblowers provided significant information early in the investigation, participated in voluntary interviews, provided supporting documents to SEC staff, and identified key witnesses. The SEC also added that the whistleblowers made several attempts to internally report their concerns to company management. Two whistleblowers provided significantly less information than the other five later into the investigation, but still qualified for a percentage of the monetary sanctions collected in the covered action. Creola Kelly, Chief of the SEC’s Office of the Whistleblower, stated that “[t]hese whistleblowers provided valuable information and substantial assistance that played a critical role in the SEC returning millions of dollars to harmed investors.”
One claimant’s whistleblower award application was denied because they did not communicate directly with the SEC staff responsible for the Covered Action Investigation and none of the information provided by the claimant was forwarded to the responsible staff. As such, the claimant did not provide original information that led to the successful enforcement action.
Payments to whistleblowers are made out of an investor protection fund, established by Congress, which is financed entirely through monetary sanctions paid to the SEC by securities law violators.
On December 20, the CFPB and the DOJ issued a press release announcing the filing of a complaint against four affiliated Texas-based entities (collectively, the “developer”) alleging bait-and-switch land sales and predatory financing. The agencies claim the developer violated ECOA and FHA by targeting thousands of Spanish-speaking borrowers with predatory seller financing. The complaint also alleges the developer misrepresented or omitted material information regarding the seller-financed flood-prone lots having “the infrastructure necessary to connect water, sewer, and electrical services pre-installed,” and regarding flood risk. The complaint also claims that the developer did not provide purchasers with a property report before the purchaser entered into the subject agreement. Further, according to the complaint, the developer marketed the lots primarily in Spanish, but required borrowers to sign important transactional documents written in English only. The action also includes claims brought under other laws and regulations. Notably, this is the first federal court lawsuit the CFPB has brought under the Interstate Land Sales Full Disclosure Act of 1968 (ILSA).
On December 19, the FTC announced that the U.S. District Court for the Eastern District of Pennsylvania granted a temporary restraining order against a business opportunity scheme for allegedly engaging in deceptive acts. The court’s order barred the defendants from making misrepresentations about any business or money-making opportunity and froze the defendant’s assets. According to the FTC’s complaint, the business opportunity scheme violated the FTC Act’s prohibition of “unfair or deceptive acts or practices in or affecting commerce” and the Telemarketing Sales Rule by, among other things, (i) making misrepresentations regarding earnings from their products and services; (ii) furnishing “success coaches” with marketing materials to be used for new member recruitment, thus providing the means for the commission of deceptive acts or practices; (iii) making misrepresentations regarding profitability to persuade consumers to pay for membership, digital products, and marketing packages; (iv) making misrepresentations regarding material aspects of an investment opportunity; and (v) facilitating outbound calls that deliver prerecorded messages to encourage consumers to purchase its products, also known as robocalls. Beyond the temporary restraining order and asset freeze, the FTC is seeking a permanent injunction and other equitable relief.
On December 15, in conjunction with the DOJ’s Consumer Protection Branch efforts to crack down on fraud, the DOJ unsealed two cases against groups that allegedly stole money from consumer accounts with financial institutions. According to the DOJ, the groups used “deceptive tactics” to cover the fraud, and in the two cases, the Department is seeking “temporary restraining orders and the appointment of receivers to stop defendants from dissipating assets.”
The first case (in the U.S. District Court for the Southern District of Florida) involves a group that allegedly committed bank and wire fraud and stole millions from consumers and small businesses by repeatedly creating sham companies. According to the complaint, since at least 2017, the defendants operated fraud schemes disguised as legitimate online marketing service providers by fabricating websites, forging consumer authorizations for charges, and establishing a “customer service” call center to handle complaints. The defendants allegedly obtained bank account information from individuals and small businesses without permission and utilized payment processors to make unauthorized debits to accounts. The DOJ claims that, to carry out the fraud, the defendants used remotely created checks, which are created remotely by a payee using the account holder’s information but without their signature. The second case (in the U.S. District Court for the Eastern District of California) bears many similarities to the first case, including the type of alleged fraud scheme. Both cases also involve the use of “microtransactions,” which are low-dollar fake transactions designed to artificially lower the apparent rate of return or rejected transactions. The defendants in the second case in particular allegedly gathered large deposits from their merchant clients and used those funds to initiate microtransactions that appeared as if they were payments for the merchants’ goods and services. Essentially, according to the Department’s complaint, the merchants paid themselves: the funds initially paid to the defendants were returned to the merchants as microtransactions, while the defendants allegedly collected a percentage of the transactions as service fees.
On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions).
On December 15, the CFPB announced a consent order against a Pennsylvania-based nonbank medical debt collection company for alleged violations of the FCRA and FDCPA. According to the order, the company failed to (i) establish and implement reasonable written policies and procedures for ensuring the accuracy and integrity of information furnished to consumer reporting agencies; (ii) conduct reasonable investigations into direct and indirect consumer disputes about furnished information; (iii) report direct dispute investigation results to consumers; and (iv) indicate disputed items when furnishing information to reporting agencies. The company also allegedly lacked a reasonable basis for debt-related representations made to consumers and engaged in collection activities after receiving a written dispute within 30 days of the consumer’s receipt of a debt validation notice but before obtaining and mailing a verification of the debt.
The consent order permanently bans the company from involvement or aid in debt collection, purchasing or selling of any debts, or any consumer reporting activities. The company must also request credit reporting agencies to delete all collection accounts previously reported by the company. Additionally, the company is obligated to pay a $95,000 civil money penalty and must display on its website information that informs consumers about the option to file a complaint with the CFPB.
On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act.
The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.
The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order.
On December 5, the Court of Justice of the European Union (CJEU) issued a judgment clarifying the conditions under which a General Data Protection Regulation (GDPR) fine can be imposed on data controllers. The judgment is in response to two cases involving GDPR fines: (i) a German case in which a real estate company was fined for allegedly storing personal data for tenants for longer than necessary, and (ii) a Lithuanian case in which a government health center was fined in connection to the creation of an app that registered and tracked people exposed to Covid-19.
In the judgment, the CJEU clarified that a data controller can only face an administrative fine under the GDPR for intentional or negligent violations—that is, violations for which a data controller was aware or should have been aware of “the infringing nature of its conduct,” regardless of their knowledge of the specific violation. The judgment also held that for a legal person, it is not necessary for the violation to be committed by its “management body,” nor does that body need to have knowledge of the specific violation. Instead, the legal person is accountable for violations committed by its representatives, directors, or managers, and those acting on their behalf within the business scope. Additionally, imposing an administrative fine on a legal entity as a data controller does not require prior identification of a specific person responsible for the violation.
The judgment also addressed administrative fines for operations involving multiple entities. The CJEU noted that a controller may have a fine imposed upon it for actions undertaken by its processor. The court also clarified that a joint controller relationship arises from the two or more entities participating in determining the purpose and means for processing, and “does not require that there be a formal arrangement between the entities in question.”
To calculate the amount of an administrative fine under the GDPR, the supervisory authority must consider the notion of an “undertaking” under competition law. The maximum fine must be based on the percentage of the total worldwide annual turnover of the particular undertaking in the preceding business year.
On November 28, the FTC announced it is sending more than $3 million in refunds to businesses from an enforcement action against a Colorado-based digital marketplace company. In 2022, the FTC filed an administrative complaint alleging, among other things, that the defendant made false, misleading, or unsubstantiated claims regarding the quality and source of the leads it was selling to service providers, such as general contractors and small lawn care businesses (covered by InfoBytes here). As a result of its January proposed order, FTC will disperse 110,372 refunds to eligible home service providers, and is sending out 91,273 claims forms to businesses that paid for one of defendant’s services.
CFPB obtains stipulated judgment ordering student financing company to pay over $30 million in damages
On November 20, the United States Bankruptcy Court for the District of Delaware entered a stipulated judgment in favor of the CFPB and 11 other state enforcement agencies in connection with an adversary proceeding against a vocational training program. As previously covered by InfoBytes, the complaint alleged that the education firm (company) engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and misleading borrowers into believing that no payments would need to be made until they received a job offer. According to the CFPB, the company trained consumers to become sales development representatives, an entry-level role that requires “little or no prior sales experience or training,” and made promises it could not deliver on, such as promising a “6-figure” career in software sales. The company also initially priced its services at $2,500 in 2018, and then increased it to $15,000 the following year without any value justification. The company would recoup its payment through income share agreements (ISA). The CFPB alleged multiple causes of action against the company, including violations of the CFPA, TILA, and the FDCPA, among others. The stipulated judgment includes orders requiring the company to refund student borrowers, cancel outstanding loans, and permanently shut down.