InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
SEC awards whistleblower with audit responsibilities more than $300,000
On December 14, the SEC announced a more than $300,000 whistleblower award in connection with a successful enforcement action. According to the redacted order, in connection with the whistleblower’s audit-related responsibilities, the whistleblower became aware of potential securities law violations and voluntarily provided original information that contributed significantly to the enforcement action. The whistleblower also met with enforcement staff numerous times, helped to identify potential witnesses, and “aggressively attempted to remedy the misconduct and suffered a unique hardship.” The SEC notes in its press release that while individuals with audit or compliance responsibilities are generally ineligible for awards, “a whistleblower who reasonably believes that an entity is engaging in conduct that would impede the investigation falls within one of the exceptions to that rule.” This is the fourth award paid to a whistleblower with internal audit or compliance-related responsibilities.
The SEC has now paid approximately $731 million to 124 individuals since the inception of the program.
Federal and state authorities target income scams
On December 14, the FTC, along with 19 federal, state, and local law enforcement partners, announced “Operation Income Illusion,” which encompasses more than 50 enforcement actions against scams targeting consumers with false promises of income and financial independence. According to an analysis of complaint data by the FTC, consumers have reported that they lost more than $610 million to income scams since 2016—with more than $150 million of losses reported in the first nine months of 2020—which the FTC attributes to the increase in scams related to the Covid-19 pandemic.
The announcement also includes four new enforcement actions and one settlement that are part of Operation Income Illusion, (i) an action and temporary restraining order against a Florida-based operation, which sold expensive memberships to programs by promoting earnings between $500 and $12,500 per sale; (ii) an action against a company with Spanish-language ads targeting Latina consumers with false promises of large profits reselling luxury products; (iii) an action and temporary restraining order against a company marketing investment-related services claiming they would enable consumers to make consistent profits off the market; (iv) an action and temporary restraining order against companies perpetuating a telemarketing scheme claiming false affiliation with Amazon.com to get consumers to purchase business opportunity programs; and (v) settlements (available here and here) with ten defendants involved in a scam targeting older adults while selling various money-making opportunities.
The other agencies reporting actions as part of the sweep include: the SEC, CFTC, the U.S. Attorney’s Office for the Eastern District of Arkansas; and state and county agencies in Arizona, Arkansas, California, Florida, Indiana, Maryland, New Hampshire, Oregon, and Pennsylvania.
CFPB and Arkansas AG settle with company for failing to provide risk-based pricing notices
On December 11, the CFPB and the Arkansas attorney general announced a proposed settlement with a Utah-based home-security and alarm company for allegedly failing to provide proper notices under the FCRA. According to the complaint filed in the U.S. District Court for the Eastern District of Arkansas, the company allows consumers to defer payment for the alarm and security-system equipment over the life of a long-term contract, and therefore extends credit to its customers. The company—in extending credit to its customers—allegedly obtained and used consumers’ credit scores to determine the amount of activation fees it would charge for its products and services, and then charged consumers who had lower credit scores higher fees without providing those consumers with required risk-based pricing notices. Under the FCRA and implementing regulation, Regulation V, companies are required to provide notice to consumers if a consumer receives less favorable credit terms based on a review of his or her credit report. Under the proposed settlement, the company is required to pay a $600,000 civil money penalty, of which $100,000 will be offset provided the company pays that amount to settle related litigation with the State of Arkansas that is currently pending in state court. The company will also be required to provide proper risk-based pricing notices under the FCRA.
FTC settles with payment processor for fraud
On December 10, the FTC announced a settlement with a payment processor and its former CEO (collectively, “defendants”) for allegedly processing consumer credit card payments for certain entities “when they knew or should have known that the schemes were defrauding consumers,” in violation of the FTC Act. According to the complaint, the defendants allegedly arranged for merchants engaged in fraud to obtain merchant accounts with acquiring banks in order to process “unlawful credit and debit card payments through the card networks” totaling more than $93 million in consumer charges. The FTC alleges the defendants knew or should have known that the merchant accounts were being used by third parties that the defendants had not underwritten or being used by merchants to sell products that the defendants had not underwritten. Specifically, the FTC argues that the defendants ignored “clear red flags” that the merchants were operating fraudulent schemes, including high rates of consumer chargebacks and the use of multiple accounts to artificially reduce the number of chargebacks. The FTC notes that a number of the merchants the defendants contracted with were shut down by federal law enforcement.
The proposed order requires the defendants to pay $1.5 million to provide redress to affected consumers, and permanently bans the defendants from (i) acting as a payment processor for any companies providing free trial offers for nutraceutical products; (ii) engaging in credit card laundering; and (iii) assisting companies in the evasion of financial institutions’ fraud monitoring. Additionally, the defendants must conduct enhanced screening and monitoring of merchant clients.
CFPB sues debt collection company that used DA letterhead to threaten consumers
On December 9, the CFPB announced it filed a complaint in the U.S. District Court for the Western District of Missouri against a Missouri-based company alleging violations of the FDCPA and the CFPA. The company allegedly engaged in deceptive and otherwise unlawful debt collection acts and practices in the course of operating “bad-check pretrial-diversion programs on behalf of more than 90 district attorneys’ offices throughout the United States.” According to the Bureau, the company used district-attorney letterhead to threaten consumers with criminal prosecution unless they paid the amount of the dishonored check, enrolled and paid for a financial-education course, and paid various other administrative fees. The complaint claims that not only did the company fail to include required FDCPA disclosures in the letters it sent to consumers, it also failed to identify itself in the letters and did not inform consumers that it is a debt collector and not a district attorney. The company also allegedly failed to inform consumers that district attorneys almost never prosecute individuals who do not pay back the amount owed. Moreover, the Bureau claims that in most cases the company did not refer cases for prosecution, even if the check writer failed to respond to the collection letter, did not pay the alleged outstanding debt and fees, or failed to complete the financial-education course. The complaint seeks an injunction against the company as well as damages, redress, disgorgement of ill-gotten gains, and the imposition of civil money penalties.
CFPB reaches settlement with unlicensed debt collector
On December 8, the CFPB announced a settlement with a New Jersey-based debt collector resolving allegations that the defendant violated the FDCPA and the CFPA’s prohibition against deceptive acts or practices by obtaining judgments and demanding payments from consumers in states where it was not legally licensed to do so. According to the Bureau, the defendant purchased consumer debts from debt brokers, used law firms to obtain judgments against the consumers, and “continued to collect on those judgments . . . as well as on a handful of payment agreements it obtained from debtors.” The Bureau found that the defendant falsely implied that it had a legally enforceable right to recover payments from consumers in Connecticut, New Jersey, and Rhode Island, and demanded payments and threatened legal action even though it did not hold the debt collection licenses required under the laws of those states. The consent order requires the defendant to pay a $204,000 civil money penalty, and prohibits the defendant from collecting on the judgments against, or payment agreements entered into with, consumers in Connecticut, New Jersey, and Rhode Island when it was not legally allowed to do so. The defendant is also required to “take all necessary steps to vacate all judgments not discharged in bankruptcy or [that were] previously satisfied,” and must suspend collection of those judgments and provide notice to consumers with payment agreements that have been satisfied.
Court enters $41 million default judgment against student debt-relief operators
On December 3, the U.S. District Court of the Central District of California entered a default judgment against a student debt-relief company and one of its owners (collectively, “defaulting defendants”) in an action brought by the CFPB alleging the defaulting defendants (and others not subject to the judgment) charged thousands of customers approximately $11.8 million in upfront fees in violation of the Telemarketing Sales Rule (TSR). As previously covered by InfoBytes, in July, the CFPB filed a complaint against the defaulting defendants, one other company, its owner, and four attorneys, alleging the companies would market its debt-relief services to customers over the phone, encouraging those with private loans to sign up with an attorney to reduce or eliminate their student debt. The businesses allegedly charged the fees before the customer had made at least one payment on the altered debts, in violation of the TSR’s prohibition on requesting or receiving advance fees for debt-relief service or, for certain defendants, the TSR’s prohibition on providing substantial assistance to someone charging the illegal fees. In August, the court approved stipulated final judgments with the other company owner (available here) and three of the attorneys (available here, here, and here).
The court entered into a default judgment against the defendants after they failed to file an answer or otherwise respond to the Bureau’s complaint. The judgment requires the defaulting defendants to pay over $11 million in consumer redress with separate $15 million civil money penalties entered against the company and the owner. Additionally, the defaulting defendants are permanently banned from providing debt-relief services or engaging in telemarketing of any consumer financial product or service.
Restaurant chain to pay SEC $125,000 for misleading Covid-19 disclosures
On December 4, the SEC announced a settlement with a national restaurant chain for allegedly making misleading disclosures about the impact of the Covid-19 pandemic on its business operations. According to the order, in the restaurant’s Form 8-Ks filed on March 23 and April 3, the restaurant disclosed that it was “operating sustainably at present under this [off-premise] model” (referring to its to-go and delivery services). However, the SEC asserts that the restaurant did not disclose that it was “losing approximately $6 million in cash per week; and that it had only approximately 16 weeks of cash remaining, even after the $90 million revolving credit facility borrowing,” nor did it disclose the letter it send to its landlords announcing it would not be paying April rent. The SEC asserts the disclosures were materially false and misleading and violated Section 13(a) of the Exchange Act and Rules 13a-11 and 12b-20 thereunder. Without admitting the findings, the restaurant agreed to pay $125,000 in civil money penalties. This is the first action the SEC has taken against a company for misleading investors
District court denies dismissal and stay of CFPB action
On November 30, the U.S. District Court of the District of Maryland denied a motion to dismiss an action brought by the CFPB against a debt collection entity, its subsidiaries, and their owner (collectively, “defendants”), rejecting the defendants’ argument that the Bureau lacked standing to bring the action. As previously covered by InfoBytes, in September 2019, the Bureau alleged the defendants violated the FCRA, FDCPA, and the CFPA by, among other things, failing to (i) establish or implement reasonable written policies and procedures to ensure accurate reporting to consumer-reporting agencies; (ii) incorporate appropriate guidelines for the handling of indirect disputes in its policies and procedures; (iii) conduct reasonable investigations and review relevant information when handling indirect disputes; and (iv) furnish information about accounts after receiving identity theft reports about such accounts without conducting an investigation into the accuracy of the information. The defendants moved to dismiss the action arguing, among other things, that (i) the Bureau lacks standing to bring the action; and (ii) Director Kraninger’s ratification of the litigation was invalid. In the alternative, the defendants moved to stay the lawsuit until the U.S. Supreme Court issued a ruling in Collins v. Mnuchin (covered by InfoBytes here).
The court denied the motion to stay, concluding that the issues pending before the Supreme Court in Mnuchin may not necessarily apply to the Bureau, as they are different agencies and further, there is no issue of ratification in Mnuchin. Thus, given the “uncertainty surrounding the effect a decision in Collins v. Mnuchin will have on the present case,” the court denied the motion to stay. The court also denied the motion to dismiss, concluding, among other things, that the Supreme Court’s finding in Seila Law LLC v. CFPB (covered by a Buckley Special Alert) that the Bureau had a constitutional defect in its leadership structure under Article II does not diminish the agency’s Article III standing. Moreover, the court concluded that the decision in Seila Law does not mean that the Bureau “lacked authority during the time in which it was led by an improperly removable Director,” and therefore the Bureau had the authority to initiate the September 2019 lawsuit against the defendants. Further, the court held that the July 2020 ratification of the enforcement action was proper.