Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 14, FCC Chairwoman Jessica Rosenworcel announced the establishment of the Commission’s new Privacy and Data Protection Task Force. According to the announcement, the task force will coordinate efforts across the FCC on rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors. These coordinated measures, Rosenworcel said, are intended to protect against and respond to data breaches involving telecommunications providers and those related to cyber intrusions. Measures will also address supply chain vulnerabilities involving third-party vendors that service regulated communications providers. Speaking to the Center for Democracy and Technology Forum on Data Privacy, Rosenworcel commented that data monetization is big business and that “market incentives to keep our data and slice and dice it to inform commercial activity are enormous” and only increasing. She provided examples of data aggregators selling individual geolocation data and said this demonstrates how information can be monetized. Rosenworcel further explained that the task force will also provide input on Commission efforts to modernize the FCC’s data breach rules. As previously covered by InfoBytes, the FCC issued a notice of proposed rulemaking in January to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information.
The U.S. District Court for the Northern District of California recently granted the CFTC’s motion for default judgment in an action accusing a decentralized autonomous organization of violating the Commodity Exchange Act (CEA) by operating an illegal trading platform and unlawfully acting as a futures commission merchant. (See also CFTC press release here.) The CFTC maintained that the organization’s platform and its blockchain-based software “protocol” enables users to engage in retail commodity transactions but does not provide protections or other requirements mandated under the statute. In addition to unlawfully offering leveraged and margined retail commodity transactions outside of a registered exchange, the organization is charged with failing to comply with Bank Secrecy Act obligations applicable to future commission merchants, including implementing a customer information program or conducting know your customer procedures. The default judgment requires the organization to shutter its website and remove its content from the internet, and orders permanent trading and registration bans. The organization also must pay a $643,542 civil money penalty and is enjoined from future violations of the CEA.
On June 7, the FTC announced that it submitted its 2022 Annual Financial Acts Enforcement Report to the CFPB. The report covers FTC enforcement activities regarding the Truth in Lending Act (TILA), the Consumer Leasing Act (CLA), and the Electronic Fund Transfer Act (EFTA). Highlights of the enforcement matters covered in the report include, among other things:
- Automobile purchase and financing. The report discussed an April 2022 settlement with a car dealership group, which resolved claims that the dealership group added on unwanted fees to consumers and allegedly failed to include details on repayment and annual percentage rates in advertising mailers. The settlement led to a redress sent to consumers.
- Payday lending. The report highlighted a settlement reached with a payday lending enterprise for allegedly overcharging consumers millions of dollars. The FTC claimed the enterprise made deceptive statements about the terms of their loan agreements and payments and withdrew funds from consumers’ accounts without consent. The order resulted in consumers receiving refunds.
- Credit repair and debt relief. The report included a settlement with the operators of a student loan debt relief scheme, who were charged with “falsely promising consumers it could lower or eliminate student loan balances, illegally imposing upfront fees for credit repair services, and signing consumers up for high-interest loans to pay the fees without making required loan disclosures in violation of the FTC Act and TILA.” The order also resulted in consumers receiving refunds.
- Other credit. The report detailed the first case involving the Military Lending Act, where a jewelry company was charged with allegedly charging military families illegal financing and using deceptive sales practices. Specifically, the company was charged with deceptively claiming that financing jewelry through the company would increase the consumer’s credit score, misrepresenting that their protection plans were required, and adding plans without the consumer’s consent. The company was also charged with failing to provide clear terms for preauthorized electronic fund transfers. The settlement required the company to provide refunds, stop collecting debt, and cease operations and dissolve.
Additionally, the FTC addressed rulemaking that is underway. The agency highlighted an impending ban on junk fees and bait and switch advertising tactics, and briefly discussed two advance notices of proposed rulemaking issued last October that would crack down on junk fees and fake reviews and endorsements. The FTC also highlighted the Military Task Force’s work on consumer protection issues.
On June 8, the Department of Financial Protection and Innovation (DFPI) released its second annual report covering California Consumer Financial Protection Law (CCFPL) actions two years after the statute took effect. DFPI reported growth across rulemaking, enforcement, supervision, complaint handling, stakeholder outreach, and consumer education. It also developed several new department functions to support historically underserved communities.
According to the report, DFPI’s increased visibility in the consumer protection space has generated more consumer complaints, resulting in more enforcement actions. Compared to 2021, there was a 514 percent increase in CCFPL-related complaints (approximately 454 complaints), and an 85 percent increase in CCFPL-related investigations (approximately 196 investigations). Top complaint categories included debt collection and crypto assets, with student loan servicers and credit reporting closely following at third and fourth. To address these issues, DFPI opened 110 crypto-related investigations and launched a consumer alerts page on its website featuring 67 public actions and 65 consumer alerts.
Other key takeaways from the report include that DFPI (i) ordered more than $250,000 in penalties; (ii) ordered over $300,000 in restitution to consumers; (iii) brought its first two civil actions using CCFPL authority; (iv) had 105,000 people attend its outreach and education events; (v) published a notice of proposed rulemaking requiring providers of certain financial services and products to register with the DFPI; and (vi) chaptered two pieces of legislation adding to the laws that DFPI may enforce under the CCFPL.
On June 6, the New Jersey attorney general and the New Jersey Division of Consumer Affairs filed an action against a realty company and its principals (collectively, “defendants”) for allegedly violating the state’s Consumer Fraud Act by making deceptive misrepresentations about its “Homeowner Benefit Program” (HBP). Concurrently, the New Jersey Real Estate Commission in the Department of Banking and Insurance filed an order to show cause alleging similar misconduct and taking action against the real estate licenses belonging to the company and certain related individuals.
According to the complaint, the defendants’ HBP was marketed to consumers as a low-risk opportunity to obtain quick, upfront cash between $300 and $5000 in exchange for giving defendants the right to act as their real estate agents if they sold their homes in the future. The HBP was not marketed as a loan and consumers were told they were not obligated to repay the defendants or to ever sell their home in the future. However, the press release alleged that the HBP functions as a high-interest mortgage loan giving the defendants the right to list the property for 40 years, and that the loan survives the homeowner’s death and levies a high early termination fee against the homeowners. The complaint further charged the defendants with failing to disclose the true nature of the HBP and failing to present the terms upfront. Moreover, in order to sell the HBP, the defendants allegedly placed unsolicited telephone calls to consumers despite not being licensed as a telemarketer in New Jersey. The complaint seeks an order requiring defendants to discharge all liens against homeowners, pay restitution and disgorgement, and pay civil penalties and attorneys’ fees and costs.
The order to show cause alleges violations of the state’s Real Estate License Act and requires defendants to show why their real estate licenses should not be suspended or revoked, as well as why fines or other sanctions, such as restitution, should not be imposed. Defendants have agreed to cease any attempt to engage New Jersey consumers in an HBP agreement pending resolution of the order to show cause.
On May 26, the SEC announced that a Connecticut-headquartered tech research and consulting company (the “settling company”) agreed to pay nearly $2.5 million to settle claims that it violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA. According to the SEC’s order, from roughly December 2014 through August 2015 the settling company allegedly entered into a scheme with several private South African companies through which a South African IT consulting company was paid substantial amounts of money even though the settling company “knew or consciously disregarded the possibility” that all or part of this money would go to South African government officials to influence the award of multi-million-dollar contracts to the settling company. During this time, the SEC found that the settling company’s policy regarding third-party consultants failed to adequately address anti-corruption risks, and the settling company lacked sufficient internal accounting controls to document payments made to third parties. The settling company also failed to implement anti-corruption vendor onboarding procedures and lacked adequate monitoring procedures, the SEC said.
The settling company consented to the SEC’s order without admitting or denying the allegations and agreed to pay a $1.6 million civil money penalty and $856,764 in disgorgement and prejudgment interest. The SEC recognized the company’s cooperation and remedial efforts.
On May 31, the DOJ filed a complaint on behalf of the FTC against a global e-commerce tech company for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) relating to its smart voice assistant’s data collection and retention practices. While the company repeatedly assured users that they could delete collected voice recordings and geolocation information, the complaint alleged that the company held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. Additionally, the complaint also contended that, for a significant period of time, the company continued to retain transcripts for recordings even after the voice recordings were deleted. According to the complaint, the company failed to provide complete, truthful notice to parents about its deletion practices and lacked an effective system to ensure users’ data deletion requests were honored.
The proposed court order would require the company to pay a $25 million civil money penalty and would prohibit the company from using geolocation and voice to create or improve any of its data products after a deletion request. The company would also be required to (i) delete any inactive smart voice assistant children’s accounts; (ii) notify users about its data retention and deletion practices and controls; and (iii) implement a privacy program specific to its use of users’ geolocation information, among other things.
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.
On May 18, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Among the enforcement actions is a consent order against an Indiana-based bank for allegedly engaging in unsafe or unsound practices relating to, among other things, its strategic and capital planning, risk management processes, audit program, and consumer compliance program (including alleged violations of TILA and Regulation Z). In addition to complying with measures to address the alleged deficiencies, the bank (which neither admits nor denies the allegations) is also required to submit written consumer compliance policies and procedures designed to ensure compliance with TILA and Regulation Z. The bank also must undergo an independent compliance review and audit and ensure bank officers and employees are appropriately trained.
A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.
The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.
A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.
In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.