Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.
On June 21, the Federal Reserve Board released civil penalty orders against two state banks, both relating to alleged violations of the National Flood Insurance Act (NFIA) and its implementing regulation, Regulation H. The first civil penalty order, against a Minnesota-based bank, assessed a $4,950 penalty for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The second civil penalty order, against an Arkansas-based bank, assessed a $13,950 penalty for an alleged pattern or practice of violations of Regulation H without specifying the number or precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”
Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.
On June 21, the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.
On June 13, the SEC announced a settlement with three subsidiaries of a financial services holding company (collectively, “respondents”) regarding their robo-adviser service. The order, which the respondents consented to without admitting or denying the findings, imposes a civil money penalty of $135 million and a total of $52 million in disgorgement. The order also provides that the respondents must cease and desist from committing or causing any future violations of the antifraud provisions in the Investment Advisers Act.
On June 10, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief operation. As previously covered by InfoBytes, in 2019, the Bureau, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015, the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by, among other things, misrepresenting: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments.
Under the terms of the final judgment, in addition to various forms of injunctive relief, the individual defendant must pay a $1 civil money penalty to the Bureau and $5,000 each to Minnesota, North Carolina, and California. The individual defendant is also “liable, jointly and severally, in the amount of $95,057,757, for the purpose of providing redress to Affected Consumers,” although his obligation to pay this amount is “suspended based on [his] inability to pay.”
On June 9, the CFPB filed a stipulated final judgment and order in the U.S. District Court for the Southern District of California resolving allegations that the operator of a student-loan debt relief company engaged in unfair debiting of consumer accounts, in violation of the CFPA. According to the complaint, in 2016, the defendant founded a student debt relief company, which “did not solicit new consumers, but instead obtained student-loan account and billing information for hundreds of former [student debt relief operation] consumers without the knowledge or consent of those consumers.” As previously covered by InfoBytes, in 2016, the CFPB filed a consent order against a San Diego-based student debt relief operation for alleged violations of the CFPA, the TSR, and Regulation P by deceiving borrowers into paying fees for federal loan benefits and misrepresenting to consumers that it was affiliated with the Department of Education. The CFPB alleged that the defendant led a debt collection scheme by withdrawing $39 per month, and collecting hundreds of thousands of dollars in total fees from student borrowers’ bank accounts, without authorization, after previously obtaining their names and account information from the former student loan debt relief business. According to the CFPB, “under this scheme, [the defendant’s] company had unlawfully debited more than $240,000 from hundreds of student borrowers’ accounts.” Under the terms of the settlement, the defendant is permanently banned from engaging in debt relief services and must pay a $175,000 penalty to the CFPB.
On June 6, the FTC obtained a stipulated court order permanently banning a company and owner from participating in the merchant cash advance and debt collection industries. As previously covered by InfoBytes, last June the FTC filed an amended complaint against two New York-based small-business financing companies and a related entity and individuals (including the settling defendants), claiming the defendants engaged in deceptive and unfair practices by, among other things, misrepresenting the terms of their merchant cash advances, using unfair collection practices, deceiving consumers about personal guarantees, forcing consumers and businesses to sign confessions of judgment, providing less funding than promised due to undisclosed fees, and making unauthorized withdrawals from consumers’ accounts. Under the terms of the stipulated order, the settling defendants are required to pay a more than $2.7 million monetary judgment to go towards refunds for harmed consumers and must vacate any judgments against former customers and release any liens against their customers’ property. The announcement notes that the settling defendants are also “prohibited from misleading consumers about any key facts about any good or service, including any fees, the total cost of the product, and other facts that reflect their deceptions in this case.”
Earlier in January, a stipulated order was entered against two other defendants (covered by InfoBytes here), which permanently banned them from participating in the merchant cash advance and debt collection industries and required the payment of a $675,000 monetary judgment.
On June 3, the FTC announced that it submitted its 2021 Annual Financial Acts Enforcement Report to the CFPB. The report covers FTC enforcement activities regarding the Truth in Lending Act (TILA), the Consumer Leasing Act (CLA), and the Electronic Fund Transfer Act (EFTA). Highlights of the enforcement matters covered in the report include, among other things:
- Automobile Credit and Leasing. The report discussed the FTC’s July 2021 settlement with the owners of car dealerships in Arizona and New Mexico (collectively, “defendants”) resolving claims that the defendants misrepresented consumer information on finance applications and misrepresented financial terms in advertisements in violation of TILA and CLA (covered by InfoBytes here).
- Payday Lending. The report highlighted the FTC’s settlement against a payday lending enterprise for allegedly overcharging consumers millions of dollars, deceiving them about the terms of their loans, and failing to make required loan disclosures. According to the report, the owners and operators of the settling entities are banned from making loans or extending credit, nearly all debt held by the company will be deemed paid in full, and the companies involved are being liquidated, with the proceeds to be used to provide redress to consumers harmed by the company.
- Credit Repair and Debt Relief. The report discussed the FTC’s settlement with the operators of a student loan debt relief scheme, who were charged with falsely promising consumers the company could lower or eliminate student loan balances, illegally imposing upfront fees for credit repair services, and signing consumers up for high-interest loans to pay the fees without making required loan disclosures in violation of TILA. The order bans the defendants from providing debt relief services and collecting any further payments from consumers who purchased the services, and requires the defendants to return money to be used to refund consumers.
Additionally, the report addressed the FTC’s research and policy efforts and highlighted the FTC’s Military Task Force’s work on military consumer protection issues.
On June 2, HUD announced a conciliation agreement with a mortgage lender to resolve allegations that it engaged in discriminatory lending practices based on race and national origin, in violation of the Fair Housing Act (FHA). The agreement arises from a complaint filed with HUD by the National Community Reinvestment Coalition (NCRC), which alleged that testing in the Seattle-Tacoma area revealed that Black and Hispanic testers were treated differently than White testers who sought housing loans. While the respondent denied that it provided less favorable treatment to testers based on race or national origin, it has agreed to pay $65,000 to NCRC and will “contribute an additional $10,000 to a Seattle-area non-profit organization specializing in providing financial literacy and housing education and counseling for persons in majority-minority census tracts in the Seattle-Tacoma-Bellevue metropolitan area.” The respondent will also conduct an event in the Seattle metro area to improve homeownership rates of Black homebuyers and will provide additional fair lending training to employees. The conciliation agreement does not constitute an admission by respondent or evidence of a finding by HUD of a violation of the FHA.
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference