InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB sues auto-loan servicer for double-billing practices
On August 2 CFPB filed a complaint in the U.S. District Court for the Northern District of Georgia against an auto-loan servicer alleging a host of illegal practices that harmed individuals with auto loans. The Bureau alleged that the auto-loan servicer engaged in unfair acts and practices in violation of the CFPA, including (i) wrongfully activating nearly 80,000 times starter-interruption devices, which are devices that warn consumers with beeps or disable their car altogether when they are late with a loan payment; (ii) failing to ensure refunds of over millions of dollars of GAP insurance premiums after consumers paid off their loan early or their car was repossessed by the auto-loan servicer; (iii) erroneously billing 34,000 consumers for collateral-protection insurance (CPI) by charging consumers twice each billing cycle, totaling around $1.9 million; (iv) wrongfully applying extra consumer payments first to late fees or CPI instead of accrued interest; and (v) wrongfully repossessing consumers’ cars dozens of times due to errors by the auto-loan servicer or its vendor.
The Bureau seeks, among other things, redress to consumers, civil money penalties, and injunctions to prevent future violations.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
FCC warns provider to stop transmitting illegal robocalls
On August 1, the FCC’s Enforcement Bureau notified a gateway intermediate provider and originator that it is allegedly transmitting and originating illegal robocalls, which could result in the FCC permitting downstream service providers to block its traffic permanently if it fails to take action. The illegal robocalls allegedly involved attempts to engage with consumers by informing consumers of fake purchase orders or asking them to confirm their order. Noting that the provider is “closely connected” to two other entities that had previously received similar enforcement letters, the FCC warned that continually changing corporate formations and serving those same entities and related principals could constitute “willful attempts to circumvent the law to originate and carry illegal traffic.” Among other things, the provider is required to investigate the identified transmissions, block all of the identified traffic if the investigation confirms that the entity served as the gateway provider for the illegal transmissions, and report the results to the FCC’s enforcement bureau.
SEC charges companies, founder for operating an unregistered exchange
On July 31, the SEC filed a complaint in the U.S. District Court for the Eastern District of New York against three cryptocurrency trading platforms and their founder for allegedly conducting unregistered offerings of crypto asset securities that raised more than $1 billion in crypto assets from investors. The SEC also claimed that the founder and one of the platforms fraudulently misappropriated at least $12 million of offering proceeds to purchase luxury goods including sports cars, watches, and diamonds.
According to the SEC’s complaint, as early as 2018 the defendants began marketing what they claimed to be the first high-yield “blockchain certificate of deposit,” and promoting tokens as an investment designed to make people “rich.” It is further alleged that from at least December 2019 through November 2020, the defendants offered and sold tokens in an unregistered offering and collected more than 2.3 million cryptocurrency units through “recycling” transactions that enabled the defendants to surreptitiously gain control of more tokens.
The complaint seeks injunctive relief, disgorgement of ill-gotten gains plus prejudgment interest, penalties, and other equitable relief.
ETF, founder to pay SEC $4.4M for misleading trustees
On August 1, the SEC settled for $4.4 million with an investment adviser and entities he founded (collectively, the “respondents”) on charges that they breached both their duty of care and duty of loyalty to their client, an exchange traded fund (ETF), in violation of the Investment Advisers Act and the Investment Company Act. As alleged in the settlement, the respondents needed funds to settle a substantial private litigation judgment, and to secure the funds to do so, committed to keep the client’s security lending business with the company providing the financing to the respondents. However, there were better offers on better terms from other securities lenders that could have provided millions more in revenue to the client, and the respondents did not disclose this information to their client or to the client’s independent trustees. In addition to the civil penalties, without admitting or denying the findings, respondents agreed to various non-monetary penalties, including cease-and-desist orders, an associational bar for the investment adviser and censures for the respondent entities.
FCC fines companies $20M for insufficient consumer data security measures
On July 28, the FCC announced a proposed fine of $20 million for two affiliated mobile carrier companies over alleged violations of FCC rules. The Commission alleged that the companies failed to protect the privacy and security of subscribers’ personal data by violating three provisions of section 64.2010 of FCC rules, which requires carriers to authenticate customers’ identity before providing online access to their network information. The alleged violations included relying on readily available information to control access to the network information, failing to establish “reasonable” data security standards. FCC Chairwoman Jessica Rosenworcel cited such failures to protect consumers’ privacy to underpin the importance of the FCC’s newly established Privacy and Data Protection Task Force (covered by InfoBytes here). The proposed sanctions are not final, and the companies will have an opportunity to respond.
OCC releases recent enforcement actions
On July 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Among the enforcement actions is a formal agreement with a California-based bank to update its BSA/AML compliance program. According to the agreement, the OCC identified deficiencies and violations relating to the bank’s compliance with BSA/AML laws and regulations. Among other things, the bank agreed to establish a compliance committee and revise its adherence to appropriate policies and procedures for collecting customer due diligence “when opening new accounts, when renewing or modifying existing accounts for customers, and when the [b]ank obtains event-driven information indicating that it needs to obtain updated customer due diligence information.” The bank also agreed to institute an “enhanced written risk-based program of internal controls and processes” to ensure an appropriate review of BSA/AML suspicious activity.
E-commerce company fined $25 million for alleged COPPA violations
On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online Privacy Protection Act Rule and the FTC Act, alleging it repeatedly assured users that they could delete collected voice recordings and geolocation information but actually held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. (Covered by InfoBytes here.)
The stipulated order requires the company to pay a $25 million civil money penalty. The order also imposes injunctive relief requiring the company to (i) identify and delete any inactive smart voice assistant children’s accounts unless requested to be retained by a parent; (ii) notify parents whose children have accounts about updates made to its data retention and deletion practices and controls; (iii) cease making misrepresentations about its “retention, access to or deletion of geolocation information or voice information, including children’s voice information” and delete this information upon request of the user or parent; and (iii) disclose its geolocation and voice information retention and deletion practices to consumers. The company must also implement a comprehensive privacy program specific to its use of users’ geolocation information.
CFPB alleges UDAAP violations by “lease-to-own” financer
On July 19, the CFPB announced it is suing a lease-to-own finance company that provides services that allows consumers, typically with limited access to traditional forms of credit for their financing, to finance merchandise or services over a 12-month period. According to the complaint, the Bureau claims that once a consumer falls behind on payments, the company’s purchase agreement essentially “lock[s] [consumers] into the 12-month schedule—even if they want to return or surrender their financed merchandise.” The alleged violations include:
- Misleading consumers. The company is accused of designing and implementing its financing program in a way that misleads consumers by using print advertisements featuring the phrase “100 Day Cash Payoff” without including details of the purchase agreement financing. The company is accused of misrepresenting that consumers could not terminate their agreement, that consumers could not return their merchandise, and that the “best” or “only” option for consumers who no longer want to finance their merchandise is to enter a “buy-back” agreement. The Bureau alleges that such conduct, among other things, violated the CFPA's prohibition on deceptive and abusive acts and practices.
- Unlawful conditioning of credit extension. The company is accused of violating the EFTA and its implementing Regulation E by allegedly improperly requiring consumers to repay credit through preauthorized automated clearing house debits.
- Failing to establish reasonable policies concerning consumer information. The Bureau alleges that the company violated the FCRA and its implementing Regulation V by not having adequate written policies and procedures to ensure the accuracy and integrity of consumer information that it furnished, considering the company’s “size, complexity, and scope.”
The Bureau seeks, among other things, injunctions to prevent future violations, rescission or reformation of the company's financing agreements, redress to consumers, and civil money penalties.
Feds, states launch “Operation Stop Scam Calls”
On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.
In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.
Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.
Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.