InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB, DOJ issue letter to auto companies on SCRA provisions
On July 29, the CFPB and DOJ issued a joint letter reminding auto finance companies of legal protections for military families under the Servicemembers Civil Relief Act (SCRA). Among other things, the letter outlines several SCRA provisions that apply to vehicle financing, including: (i) prohibiting vehicle repossession without a court order during the borrower’s military service if a borrower financed or leased the vehicle prior to entering military service; (ii) permitting servicemembers and joint lessee dependents to terminate motor vehicle leases early, and without penalty, after entering military service or receiving qualifying military orders during active duty; and (iii) capping the amount of interest on loans incurred prior to military service to 6 percent per year.
CFPB, DOJ take action against mortgage lender
On July 27, the CFPB and the DOJ jointly filed a lawsuit against a Delaware-based mortgage lender for engaging in unlawful discrimination. The complaint, filed in the U.S. District Court for the Eastern District of Pennsylvania, alleges that the defendant violated the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B and the Consumer Financial Protection Act (CFPA) by, among other things, engaging in unlawful discrimination on the basis of race, color, or national origin against applicants and prospective applicants, including by redlining majority-minority neighborhoods, and by engaging in acts and practices directed at prospective applicants that would discourage prospective applicants from applying for credit. The DOJ also alleged a violation of the Fair Housing Act, including the “making unavailable or denial of dwellings to persons because of race, color, and national origin,” among other things.
The proposed consent order, if entered by the court, would be Bureau’s first nonbank mortgage redlining resolution. It would require the defendant, among other things, to: (i) deposit $18.4 million into a loan subsidy program; (ii) pay a $4 million penalty to the Bureau; and (iii) pay $2 million to fund advertising to generate applications in redlined areas. The proposed order also notes the defendant neither admits nor denies the allegations in the complaint. According to a statement released by CFPB Director Rohit Chopra, the Bureau “will continue to seek new remedies to ensure all lenders meet and fulfill their responsibilities and obligations and the CFPB continues to be on the lookout for emerging digital redlining to ensure that discrimination cannot be disguised by an algorithm.”
DOJ announces settlement with ride sharing company over ADA violations
On July 18, the DOJ announced a settlement in the U.S. District Court for the Northern District of California to resolve a lawsuit alleging that a ride sharing service (defendant) violated the Americans with Disabilities Act (ADA). According to the complaint, in April 2016, the defendant started charging passengers wait time fees, which charged wait time fees starting two minutes after the defendant’s vehicle arrives at the pickup location, and the fees are charged until the vehicle starts its trip. The DOJ claimed that the defendant violated the ADA by failing to: (i) “ensure adequate vehicle boarding time for passengers with disabilities”; (ii) “ensure equitable fares for passengers with disabilities”; and (iii) “make reasonable modifications to its policies and practices of imposing wait time fees as applied to passengers who, because of disability, require more time to board the vehicle.” According to the settlement agreement, the defendant – who denies any wrongdoing, liability, or fault – must, among other things: (i) pay $1.7 million to more than 1,000 riders who have already complained to the company about being charged wait time fees as a result of a disability; (ii) pay $500,000 to “other harmed individuals identified by the department”; and (iii) pay a $50,000 civil money penalty to the U.S. Additionally, according to the DOJ, the defendant has committed under the two-year agreement to waive wait time fees for all riders who certify that they (or someone they frequently travel with) need more time to get in a car due to a disability. Among other things, the defendant also will ensure that refunds are easily available for anyone who does not have a waiver and is charged a wait time fee because of disability.
DOJ reports on cybersecurity and announces seizure of $500,000 from hackers
On July 19, Deputy Attorney General Lisa O. Monaco spoke before the International Conference on Cyber Security (ICCS) 2022 regarding DOJ’s efforts to combat the increase of cyberattacks. Monaco also announced the release of the Comprehensive Cyber Review, which reflects “the need to prioritize prevention, to ensure we are doing all we can to help victims, and above all else – to use all the tools at our disposal, working with partners here and around the globe, across the government and across the private sector.” The report noted that the “failure of certain technology companies” to meet their legal obligations “is a major factor in allowing criminals to escape detection and apprehension.” The report also noted that over the last decade,” companies have “proactively taken independent actions” against cybercriminals without prior coordination with U.S. law enforcement officials. The report argues that “there is no reason that criminal activities in the cyber context should be handled differently than in the real world, where it would almost be unheard of for private companies to observe criminal activity” without informing law enforcement as soon as possible and then working with law enforcement to further identify and disrupt the criminal activity. The report recommends that the Justice Department and U.S. technology companies “develop a voluntary set of principles regarding the proactive and systematic reporting of cybercriminal activities using their platforms.”
Monaco also announced that the FBI and DOJ “disrupted” a North Korean state-sponsored hacking group that targeted U.S. medical facilities and other public health sector organizations. According to the DOJ’s press release, the Department seized $500,000 in cryptocurrency paid as ransom to North Korean hackers who used a ransomware strain to encrypt the files and servers of a medical center in Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.
California mortgage lender to pay $1 million to settle fraud allegations
Recently, the United States Attorney for the Eastern District of Washington announced a settlement with a California-based mortgage lender to resolve allegations that it “improperly and fraudulently” originated government-backed mortgage loans insured by FHA, resulting in losses to the government when borrowers defaulted on their mortgages. The settlement concludes a joint investigation conducted by the U.S. Attorney’s Office and the Offices of Inspector General for the Department of Veterans Affairs and HUD, which commenced as required by the False Claims Act after a whistleblower (a former loan processor) filed a qui tam complaint against the lender in 2019. The whistleblower claimed that between December 2011 and March 2019, the lender knowingly underwrote certain FHA mortgages and approved some mortgages for insurance that failed to meet FHA requirements or qualify for insurance. The whistleblower further alleged that the lender “knowingly failed to perform quality control reviews that it was required to perform.”
“By improperly originating ineligible mortgages, lenders take advantage of the limited resources of the FHA program and unfairly pass the risk of loss onto the public,” the U.S. Attorney said. According to the announcement, the lender agreed to pay more than $1.03 million under the terms of the settlement agreement. The whistleblower will receive $228,172 of the settlement proceeds, plus attorney’s fees, expenses, and costs.
DOJ charges six with crypto fraud
On June 30, the DOJ charged six individuals in four separate cases for allegedly playing a role in several cryptocurrency-related fraud schemes. In its press release announcing the indictments, the DOJ said these schemes include “the largest known Non-Fungible Token (NFT) scheme charged to date, a fraudulent investment fund that purportedly traded on cryptocurrency exchanges, a global Ponzi scheme involving the sale of unregistered crypto securities, and a fraudulent initial coin offering.”
- Crypto NFT Scheme: The DOJ charged a Vietnamese national with one count of conspiracy to commit wire fraud and one count of conspiracy to commit international money laundering related to his involvement in an NFT project, in which the individual and his co-conspirators allegedly engaged in a “rug pull” that ended the investment project and stole roughly $2.6 million from investors. Shortly after the rug pull, the DOJ said in its announcement that the individuals allegedly “laundered investors’ funds through ‘chain-hopping,’ a form of money laundering in which one type of coin is converted to another type and funds are moved across multiple cryptocurrency blockchains.” The individuals also allegedly used decentralized cryptocurrency swap services to hide the trail of investors’ stolen funds.
- Crypto Ponzi and Unregistered Securities Scheme: The DOJ charged two Brazilian nationals and a Florida resident with one count of conspiracy to commit wire fraud and one count of conspiracy to commit securities fraud in connection with a global cryptocurrency-based Ponzi scheme that generated approximately $100 million from investors. The Brazilian nationals were also charged with conspiracy to commit international money laundering. According to the DOJ, the individuals fraudulently promoted a cryptocurrency investment platform and unregistered securities offering by misrepresenting a purported proprietary trading bot and falsely guaranteeing returns to investors. The Brazilian nationals allegedly laundered investors’ funds through a foreign-based cryptocurrency exchange and paid earlier platform investors with money obtained from later investors, the DOJ said. The SEC also filed a lawsuit against all three individuals and their company in the U.S. District Court for the Southern District of Florida.
- Crypto Initial Coin Offering Scheme: A California resident who founded a cryptocurrency investment platform was charged by the DOJ with one count of securities fraud for his role in a cryptocurrency fraud scheme involving the platform’s initial coin offering (ICO), which raised roughly $21 million from investors globally. According to the DOJ, the individual falsified information in company white papers for prospective investors, promoted fake testimonials, and fabricated purported business relationships with the Federal Reserve Board and dozens of major companies to appear legitimate.
- Crypto Commodities Scheme: The DOJ charged the owner of a cryptocurrency investment platform with one count of conspiracy to commit wire fraud, four counts of wire fraud, one count of conspiracy to commit commodities fraud, and one count of obstruction of justice. The Nevada resident allegedly raised approximately $12 million from investors by using the platform to solicit investors’ participation in an unregistered commodity pool (“a fund that combines investors’ contributions to trade on the futures and commodity markets”), told investors that he used a trading bot that “could execute over 17,000 transactions per hour on various cryptocurrency exchanges” to earn profits, and falsely represented that this trading bot would generate between 500 to 600 percent returns on the amount invested.
“Our office is committed to protecting investors from sophisticated scammers seeking to capitalize on the relative novelty of digital currency,” U.S. Attorney Juan Antonio Gonzalez for the Southern District of Florida stated. “As with any emerging technology, those who invest in cryptocurrency must beware of profit-making opportunities that appear too good to be true.”
U.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."
Special Alert: DOJ settles claims of algorithmic bias
On June 21, the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.
DOJ: $4.5 million judgment in case targeting Hispanic homeowners
On June 10, the DOJ announced that the U.S. District Court for the Middle District of Florida entered a consent order against several defendants accused of violating the Fair Housing Act by targeting Hispanic homeowners for predatory mortgage loan modification services. After several Hispanic homeowners filed discrimination complaints with HUD, the agency conducted an investigation, issued charges of discrimination, and referred the matter to the DOJ for litigation. According to the DOJ’s complaint, the defendants targeted Hispanic homeowners with deceptive Spanish-language advertising “that falsely promised to cut their mortgage payments in half” and guaranteed “lower payments in a specific timeframe in exchange for thousands of dollars of upfront fees and continuing monthly fees of as much as $550, which defendants claimed were ‘non-refundable.’” The DOJ further contended that many of the targeted Hispanic homeowners (who had limited English proficiency) were told not to communicate with their lenders and were instructed to stop making monthly mortgage payments; however, the defendants allegedly “did little or nothing to obtain the promised loan modifications,” leading to defaults and foreclosures.
The consent order, reached in partnership with the Civil Rights Division’s Housing Section, enters a nearly $4.6 million judgment (which is mostly suspended) against the defendants to compensate harmed homeowners. Of this amount, $95,000 in total will go to three individuals who intervened as plaintiffs in the DOJ’s lawsuit. Defendants must also pay a $5,000 civil penalty. In addition to monetary relief, the consent order permanently enjoins defendants “from providing any mortgage relief assistance services, including, but not limited to, mortgage loan modification, foreclosure rescue, or foreclosure defense services.” The consent order also imposes training and reporting/recordkeeping requirements for defendants’ other real-estate activities.
Social media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.