InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Court permanently bans companies and officer from payment processing
On January 22, the U.S. District Court for the District of Arizona entered judgments (available here and here) prohibiting two companies and one officer from engaging in payment processing services, credit card laundering, and telemarketing as a result of their involvement in a credit card laundering scheme. As previously covered by InfoBytes, in July 2017, the FTC filed a complaint against 12 defendants, comprised of an independent sales organization (ISO), sales agents, payment processors, and identified principals, for allegedly violating the FTC Act and the Telemarketing Sales Rule by laundering credit card transactions on behalf of a “telemarketing scam” operation through fictitious merchant accounts. The defendants purportedly (i) underwrote and approved the operation’s fictitious companies; (ii) set up merchant accounts with its acquirer for the fictitious companies; (iii) used sales agents to market processing services to merchants; (iv) processed nearly $6 million through credit card networks; and (v) transferred sales revenue from the transactions to companies controlled by the defendants. In addition to the permanent injunctions, the court entered into an over $4.6 million suspended judgment against the companies and an over $460,000 suspended judgment against the officer. However, the judgments can be lifted should the court find that the officer failed to disclose material assets or the accurate value of material assets.
FTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive health information. According to the complaint, the company collected personal information from customers who signed up for membership plans and allegedly stored the unencrypted personal information on an unsecured cloud database, which could be accessed by anyone on the internet. The company also allegedly failed to perform vulnerability and penetration testing or conduct periodic risk assessments, and failed to monitor for unauthorized access to its network. In addition, the FTC claims that the company, once it was informed that its data was unsecure, represented that it immediately conducted an investigation and determined “[t]here was no medical or payment-related information visible and no indication that the information has been misused.” However, the FTC alleges that the company failed to, among other things, “examine the actual information stored in the cloud database, identify the consumers placed at risk by the exposure, or look for evidence of other unauthorized access to the database.” Instead, after confirming that the data was online and publicly accessible, the company deleted the database, the FTC claims.
The proposed settlement requires the company to, among other things, maintain safeguards to protect personal information, implement a comprehensive data security program, and undergo biennial assessments conducted by third party on the effectiveness of its program. The company is also prohibited from misrepresenting how it collects, maintains, secures, discloses, or deletes personal data, as well as whether it has been endorsed by or participates in any government- or third-party sponsored privacy or security program. The company will also be required to send a notice to affected consumers about its response to the security incident.
FTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
FTC orders social media and video streaming companies to provide data on privacy practices
On December 14, the FTC issued orders to nine social media and video streaming companies requiring each company to provide information on their collection, use, and presentation of personal information, including their data gathering and advertising practices. The orders are issued pursuant to Section 6(b) of the FTC Act, which authorizes the FTC “to conduct wide-ranging studies that do not have a specific law enforcement purpose.” According to a sample order, the FTC seeks information concerning the companies’ privacy policies, procedures, and practices, including: (i) how personal and demographic information for both desktop and mobile devices is collected, used, tracked, estimated, or derived; (ii) how user attribute information is derived in order to determine which ads and other content are shown to consumers; (iii) whether algorithms or data analytics are applied to personal information; (iv) how user engagement is measured, promoted, and researched; and (v) how company policies, procedures, and practices are affecting children and teens, including how children and families are targeted and categorized. The Commission voted 4-1 to issue the orders, with Commissioners Chopra, Slaughter, and Wilson releasing a joint statement highlighting the need for the inquiry in order to, among other things, understand the “full scale and scope of social media and video streaming companies’ data collection.” The Commissioners also emphasized the FTC’s interest in “better understand[ing] the financial incentives of social media and video streaming services.” In dissent, Commissioner Phillips argued that the orders are “an undisciplined foray into a wide variety of topics, some only tangentially related to the stated focus of th[is] investigation.”
FTC settles with payment processor for fraud
On December 10, the FTC announced a settlement with a payment processor and its former CEO (collectively, “defendants”) for allegedly processing consumer credit card payments for certain entities “when they knew or should have known that the schemes were defrauding consumers,” in violation of the FTC Act. According to the complaint, the defendants allegedly arranged for merchants engaged in fraud to obtain merchant accounts with acquiring banks in order to process “unlawful credit and debit card payments through the card networks” totaling more than $93 million in consumer charges. The FTC alleges the defendants knew or should have known that the merchant accounts were being used by third parties that the defendants had not underwritten or being used by merchants to sell products that the defendants had not underwritten. Specifically, the FTC argues that the defendants ignored “clear red flags” that the merchants were operating fraudulent schemes, including high rates of consumer chargebacks and the use of multiple accounts to artificially reduce the number of chargebacks. The FTC notes that a number of the merchants the defendants contracted with were shut down by federal law enforcement.
The proposed order requires the defendants to pay $1.5 million to provide redress to affected consumers, and permanently bans the defendants from (i) acting as a payment processor for any companies providing free trial offers for nutraceutical products; (ii) engaging in credit card laundering; and (iii) assisting companies in the evasion of financial institutions’ fraud monitoring. Additionally, the defendants must conduct enhanced screening and monitoring of merchant clients.
Satellite company to pay over $200 million for telemarketing violations
On December 7, the DOJ announced a settlement with a satellite service provider totaling over $210 million in penalties to be paid to the United States and four states for alleged violations of the TCPA, the FTC Act, and similar state laws. The settlement stems from an action brought by the United States against the satellite company in 2009 asserting that the company initiated millions of unlawful telemarketing calls to consumers and was responsible for millions of calls made by marketers of the company’s products and services. In 2017, a district court awarded the U.S. and the states of California, Illinois, North Carolina, and Ohio $280 million in civil penalties, with a record $168 million going to the federal government (covered by InfoBytes here). On appeal, the U.S. Court of Appeals for the Seventh Circuit affirmed liability but vacated and remanded the monetary award for recalculation.
The stipulated judgment requires the satellite company to pay over $200 million in civil penalties, with $126 million going to the U.S. government, nearly $40 million to California, over $6.5 million to Illinois, nearly $14 million to North Carolina, and $17 million to Ohio.
FTC reaches $62 million settlement with student loan debt relief operation
On November 19, the FTC entered into a settlement with defendants accused of engaging in deceptive practices when marketing and selling student loan debt relief services. As part of its enforcement initiative, Operation Game of Loans (covered by InfoBytes here), the FTC alleged that the defendants violated the FTC Act and Telemarketing Sales Rule (TSR) by, among other things, charging illegal up-front fees to enroll consumers in debt relief programs, accepting monthly payments that were not applied towards student loans, and collecting monthly fees that consumers believed were being applied to their loans but instead were going towards unrelated “financial education” programs (see previous InfoBytes coverage here). Under the terms of the order, the defendants are permanently banned from providing secured and unsecured debt relief products and services, and are prohibited from (i) engaging in unlawful telemarketing practices and violating the TSR; (ii) misrepresenting financial products and services; (iii) making unsubstantiated claims; and (iii) collecting, or assigning any right to collect, payments from consumers for products sold by the defendants. The defendants are also ordered to pay $62 million in monetary relief.
FTC issues final order with skincare company for false reviews
On November 6, the FTC announced a final order with a skincare company, resolving allegations that the company misled consumers by posting fake reviews on a retailer’s website and failed to disclose company employees wrote the reviews. As previously covered by InfoBytes, in October 2019, the FTC filed the complaint against the company asserting that (i) the product reviews posted on the company’s website were not “independent experiences or opinions of impartial ordinary users of the products” and therefore, were false or misleading under Section 5 of the FTC Act; and (ii) the failure to disclose the reviews were written by the owner or employees constitutes a deceptive act or practice under Section 5 of the FTC Act, because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.”
The Commission, in a 3-2 vote, approved the final order, which prohibits the company from misrepresenting the status of an endorser, including misrepresentations that the endorser or reviewer is an “independent or ordinary user of the product.” The order requires the company and owner to “clearly and conspicuously, and in close proximity to that representation, any unexpected material connection between such endorser and (1) any Respondent; or (2) any other individual or entity affiliated with the product.” The final order does not include any monetary relief for consumers.
In dissent, two Commissioners objected to the final order, stating that the agency is “doubling down on its no-money, no-fault settlement with [the company], who was charged with egregious fake review fraud.” The dissent urged the Commission to publish a statement on monetary remedies in order to restate “legal precedent into formal rules” and designate specific misconduct as penalty offenses through Section 5(m)(1)(B) of the FTC Act, which allows the agency “to seek penalties against parties who engage in conduct known to have been previously condemned by the Commission.”
Merchant cash advance providers move to dismiss FTC allegations of deceptive and unfair conduct
On October 23, defendants in an FTC lawsuit filed a reply brief in support of their motion to dismiss allegations claiming they misrepresented the terms of their merchant cash advances (MCA), used unfair collection practices, made unauthorized withdrawals from consumer accounts, and misrepresented collateral and personal guarantee requirements in advertisements. As previously covered by InfoBytes, the FTC filed a complaint in August against the defendants—two New York-based merchant cash advance providers and two company executives—alleging deceptive and unfair conduct in violation of Section 5 of the FTC Act. Earlier in October, the defendants filed a motion to dismiss, arguing, among other things, that the FTC “lack[ed] the statutory authority to bring its claims in federal court” under Section 13(b) of the FTC Act because “none of the challenged conduct, to the extent it even occurred or was actionable, is plausibly alleged to be ongoing or ‘about to’ occur.” The FTC countered that it “need only allege” that it had “reason to believe Defendants are violating or are about to violate” Section 5 in order to file suit in federal district court. The FTC further contended that it had also alleged facts sufficient for individual liability.
The defendants responded to the FTC’s opposition to dismissal, arguing, among other things, that even if the FTC invoked the statutory authority under Section 13(b) to have the court hear its claims, the claims fail for other reasons, including that the complaint fails to state a claim under Section 5 by (i) only providing “fragments of advertisements without necessary context”; (ii) ignoring “the express fee disclosures in the MCA agreement” that outline the fees to be paid by a merchant; and (iii) ignoring the fact that “so-called ‘unauthorized’ ACH withdrawals were “explicitly authorized under the MCA agreement.” The defendants further argued that the individual liability claims should also be dismissed because the FTC failed to sufficiently allege that the individual defendants directly participated in or had authority over the alleged conduct.
FTC temporarily halts unlawful debt collection operation
On October 15, the FTC announced that the U.S. District Court for the Northern District of Georgia granted a temporary restraining order against a debt collection operation for allegedly engaging in fraudulent debt collection practices. According to the FTC’s complaint, the operation violated the FTC Act and the FDCPA by, among other things, (i) posing as law enforcement officers, prosecutors, attorneys, mediators, investigators, or process servers when calling consumers to collect debts; (ii) using profane language and threatening consumers with arrest or serious legal consequences if debts were not immediately paid; (iii) threatening to garnish wages, suspend Social Security payments, revoke drivers’ licenses, or lower credit scores; (iv) attempting to collect debts that were either never owed or were no longer owed; (v) unlawfully contacting third parties, such as family members or employers; and (vi) adding unauthorized or impermissible charges or fees to consumers’ debts. The complaint asserts that the operation also refused to provide written verification about the alleged debts as required by the FDCPA. Beyond the temporary restraining order, the FTC is seeking a permanent injunction, contract rescission or reformation, restitution, disgorgement, the appointment of a receiver, immediate access to business premises, an asset freeze, and other equitable relief.
The action is part of the FTC’s “Operation Corrupt Collector”—a nationwide enforcement and outreach effort established last month by the FTC, CFPB, and more than 50 federal and state law enforcement partners to address illegal debt collection practices. (Covered by InfoBytes here.)