Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 10, the FTC announced that it entered into two settlement agreements: one with a call center and two individuals, and one with an additional individual (together, “the settling defendants”) that it claims made illegal robocalls to consumers as part of a cruise line’s telemarketing operation allegedly aimed at marketing free cruise packages to consumers. According to the two settlements (see here and here), the settling defendants “participated in unfair acts or practices in violation of . . . the FTC Act, and the FTC’s Telemarketing Sales Rule [(TSR)]” by “(a) placing telemarketing calls to consumers that delivered prerecorded messages; (b) placing telemarketing calls to consumers whose telephone numbers were on the National Do Not Call Registry; and (c) transmitting inaccurate caller ID numbers and names with their telemarketing calls.” The defendants are permanently banned from making telemarketing robocalls, and have been levied judgments totaling $7.8 million, all but $2,500 of which has been suspended due to the defendants’ inability to pay.
Also on January 10, the FTC filed a complaint in the U.S. District Court for the Middle District of Florida against the remaining six defendants allegedly involved in the telemarketing operation, for violations of the FTC Act and TSR based on the same actions alleged against the settling defendants.
Mortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal information of customers who posted negative reviews on a public website, including customers’ “sources of income, debt-to-income ratios, credit history, taxes, family relationships, and health.” The alleged posts containing negative financial information violated the defendants’ responsibilities under Regulation P (Privacy of Consumer Financial Information) as the required privacy disclosure provided to the customers stated that the defendants would not share personal information with any third party. Regulation P also “prohibits financial institutions from disclosing to any nonaffiliated third party any nonpublic personal information about a customer unless it has provided the customer with an opt-out notice, . . . a reasonable opportunity to opt out of the disclosure, and the customer has not opted out.” In this instance, customers were not given the opportunity to opt out of disclosure of their personal financial information in response to online consumer reviews, the complaint asserts. In addition, the complaint alleges that the defendants also violated the FTC Act by causing unfair or deceptive acts or practices that “deprived consumers of the ability to control whether and to whom they disclosed sensitive information.” The defendants also allegedly violated the FCRA by using consumer reports for impermissible purposes, and the FTC’s Safeguards Rule by failing to implement or maintain an adequate information security program. Under the terms of the proposed settlement, the defendants will pay a $120,000 civil penalty and are prohibited from (i) misrepresenting their privacy and data security practices; (ii) using consumer reports for anything other than a permissible purpose; (iii) not providing required privacy notices; and (iv) improperly disclosing nonpublic personal information to third parties. Among other things, the company is also prohibited from transferring, selling, sharing, collecting, maintaining, or storing nonpublic personal information unless it implements a comprehensive information security program; and must obtain independent third-party assessments of its information security program every two years.
On December 30, the FTC announced that the U.S. District Court for the District of Nevada had, on December 5, granted its motion for summary judgment in an action against a mortgage loan modification operation (operation) for allegedly violating the FTC Act and the Mortgage Assistance Relief Services Rule (MARS Rule). The January 2018 complaint alleged that the operation had engaged in unfair or deceptive acts or practices when it “preyed on financially distressed homeowners” by making false representations in advertising that its mortgage relief services could prevent foreclosures and “substantially lower” mortgage interest rates, as previously covered here. Additionally, the complaint charged that the operation used “doctored logos” in correspondence with consumers to give the impression that it was “affiliated with, endorsed or approved by, or otherwise associated with the federal government’s Making Home Affordable loan modification program,” and similarly claimed affiliation or “special arrangements” with the holder or servicer of the consumer’s loan. The court agreed with the FTC’s allegations, finding that the operation violated the FTC Act and the MARS Rule. The court entered a monetary judgment against the operation of over $18.4 million as equitable relief, which the FTC may use to compensate consumers harmed by the operation’s business practices. To the extent that an FTC representative determines that direct consumer redress is impracticable or money remains after redress is completed, the FTC may apply any remaining funds to other equitable relief (including consumer information remedies) that it determines is reasonably related to the practices alleged in the complaint. The court also permanently enjoined the operation from marketing or providing any secured or unsecured debt relief product or service, as well as from making deceptive statements to consumers regarding any other financial product or service.
On December 20, the FTC announced it had filed suit for unfair and deceptive acts and practices in violation of the FTC Act against a fuel payment card services company (company) for its “problematic marketing and fee practices.” The FTC’s complaint, filed in U.S. District Court for the Northern District of Georgia, alleges that the company marketed the fuel payment cards to “companies that operate vehicle fleets” with false promises that the cards would provide (i) cost savings; (ii) protection from unauthorized card purchases; and (iii) “no set-up, transaction, or membership fees, including when used to purchase fuel at any of the thousands of locations nationwide that accept [the company’s] fuel cards.” In fact, according to the complaint, the company “has charged customers at least hundreds of millions of dollars in unexpected fees,” and “at least tens of millions of dollars in recurring fees for programs they have not ordered,” and, in spite of its marketing representing otherwise, the company has not provided advertised fuel savings, and has not provided fraud protection for unauthorized transactions. The complaint also claims that the company has not timely posted customer payments when received, leading to customers being levied additional fees for late charges and “related [i]nterest and [f]inance [c]harges even when the customers have paid their balance in full by the due date.” The FTC seeks permanent injunctive relief against the company to prevent future violations, as well as redress for those consumers injured by the FTC Act violations, “including rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
On December 13, the FTC filed a brief in a U.S. Supreme Court action that is currently awaiting the Court’s decision to grant certiorari. The question presented to the Court asks whether the FTC is empowered by Section 13(b) of the FTC Act to demand equitable monetary relief in civil enforcement actions. The petitioners, who include a Kansas-based operation and its owner, filed the petition for a writ of certiorari in October, appealing a December 2018 decision by the U.S. Court of Appeals for the Ninth Circuit (covered by InfoBytes here), which upheld a $1.3 billion judgment against the petitioners for allegedly operating a deceptive payday lending scheme. Among other things, the 9th Circuit rejected the petitioners’ argument that the FTC Act only allows the court to issue injunctions, concluding that a district court may grant any ancillary relief under the FTC Act, including restitution. The 9th Circuit also rejected the petitioners’ request to revisit those precedents in light of the Court’s 2017 holding in Kokesh v. SEC—which limited the SEC’s disgorgement power to a five-year statute of limitations period applicable to penalties and fines under 28 U.S.C. § 2462 (previously covered by InfoBytes here)—concluding that the district court did not abuse its discretion in calculating the award. Additionally, the 9th Circuit referenced the Court’s statement in Kokesh that noted “[n]othing in [its] opinion should be interpreted as an opinion on whether courts possess authority to order disgorgement in SEC enforcement proceedings.”
In response to the petition, the FTC asked the Court to delay reviewing the appeal, stating that the Court should hold the petition pending the disposition in a matter that was recently granted cert “to decide whether district courts may award disgorgement to the [SEC] under analogous provisions of the securities laws.” The FTC acknowledged that while the “relevant statutory schemes are not identical, and the FTC’s and the SEC’s authority to seek monetary relief will not necessarily rise and fall together,” the questions presented in both cases overlap.
On December 10, the FTC announced a settlement with a for-profit school and its parent company to resolve allegations that they employed deceptive advertisements in violation of the FTC Act that gave the impression that the school had relationships and job opportunities with various technology companies and tailored curricula to those jobs. In the complaint, the FTC claims the defendants relied upon false and misleading advertisements to attract prospective students that gave the impression that the school’s relationship with certain companies would create employment opportunities. In addition, the FTC alleges that while the defendants claimed the companies also worked with the school to develop its courses, in reality the partnerships were primarily marketing relationships that did not create jobs or curricula for the school’s students. Moreover, the FTC claims that some of these advertisements specifically targeted current and former military members and Hispanic consumers. Under the terms of the settlement, the school is required to pay $50 million in consumer redress and cancel approximately $141 million in student loan debts owed to the school by former students who first enrolled during the covered period.
The FTC’s press release notes, however, that the “settlement will not affect student borrowers’ federal or private loan obligations,” and directs borrowers to the Department of Education’s income-driven repayment plans for guidance on lowering monthly payments. The FTC also states that borrowers who believe they may have been defrauded or deceived can apply for loan forgiveness through the Borrower Defense to Repayment procedures.
On December 6, the FTC issued an unanimous opinion against a British consulting and data analytics firm, finding that the firm violated the FTC Act by engaging in “deceptive practices to harvest personal information from tens of millions of [a social media company’s] users.” The information—which was allegedly collected through an application that told users it would not harvest identifiable information—was then used to target potential voters. The opinion also found that the firm engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework. The opinion follows an administrative complaint issued against the firm in July (previously covered by InfoBytes here). Under the terms of the administrative final order, the firm is prohibited from misrepresenting “the extent to which it protects the privacy and confidentiality of personal information as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations,” and it must apply Privacy Shield protections to personal information collected during its participation in the program or return or delete the information. Among other things, the firm also must delete or destroy the personal information collected from consumers through the app, as well as any other information or work product that originated from the information.
On December 5, the FTC and the Ohio attorney general announced that the U.S. District Court for the Western District of Texas issued a temporary restraining order (TRO) against a VoIP service provider and its foreign counterpart for facilitating (or consciously avoiding knowing of) a “phony” credit card interest rate reduction scheme committed by one of its client companies at the center of a joint FTC/Ohio AG action. As previously covered by InfoBytes, the original complaint alleged that a group of individuals and companies—working in concert and claiming they could reduce interest rates on credit cards—had violated the FTC Act, the Telemarketing Sales Rule, and various Ohio consumer protection laws. In addition to obtaining a TRO against the most recent alleged participants, the FTC and Ohio AG amended their July complaint to add the telecom companies as defendants alleging the companies “played a key role in robocalling consumers to promote a credit card interest reductions scheme.”
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
On October 21, the FTC announced two separate actions involving social media and online reviews. In its complaint against a skincare company, the FTC alleged that the company misled consumers by posting fake reviews on a retailer’s website and failed to disclose company employees wrote the reviews. The FTC asserted that the retailer’s customer review section is “a forum for sharing authentic feedback about products,” and the company and owner “represented, directly or indirectly, expressly or by implication, that certain reviews of [the company] brand products on the [retailer’s] website reflected the experiences or opinions of users of the products.” The FTC argued that the failure to disclose that the owner or employees wrote the reviews constitutes a deceptive act or practice under Section 5 of the FTC Act because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.” In a 3-2 vote, the Commission approved the administrative consent order, which notably does not include any monetary penalties. The order prohibits the company from misrepresenting the status of an endorser and requires the company and owner to disclose the material connection between the reviewer and the product in the future.
The FTC also entered into a proposed settlement with a now-defunct company and its owner for allegedly selling fake social media followers and subscribers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients; as well as to actors, athletes, and others who wanted to increase their social media appeal. According to the FTC, the company “provided such users of social media platforms with the means and instrumentalities for the commission of deceptive acts or practices,” in violation of Section 5(a) of the FTC Act. The Commission unanimously voted to approve the proposed court order, which bans the company from selling or assisting others in selling “social media influence.” The proposed order imposes a $2.5 million monetary judgment against the company owner, but suspends the majority upon the payment of $250,000.
- Jonice Gray Tucker to discuss "Trends in regulatory enforcement" at the ABA Banking Law Committee Meeting
- Jonice Gray Tucker to discuss "Fair access to credit in today’s innovative environment" at the ABA Banking Law Committee Meeting
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- APPROVED Checkpoint Webcast: CFL overview
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference