InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Reserve Board Issues Consent Order for the Alleged Deceptive Marketing of Balance Transfer Credit Cards
On October 26, the Federal Reserve Board (Fed) announced it had entered into a consent order with Mid America Bank & Trust Company (Mid America) over allegations that the bank engaged in deceptive practices in violation of the FTC Act involving balance transfer credit cards issued to consumers through third party independent service organizations. On the same day, the Fed announced its approval of an application by Reliable Community Bankshares, Inc. to acquire Mid America’s holding company, Mid America Banking Corporation. The allegations pertain to the adequacy of marketing materials, disclosures and other customer communications that described certain terms of the balance transfer cards such as credit reporting, available credit, and application of the statute of limitations to transferred balances. The Fed’s order requires the bank to refund certain fees, account balances and payments to its cardholders and other non-monetary actions, including compliance program enhancements. The order did not impose a civil money penalty.
FTC Obtains Default Judgment Against Operations That Allegedly Sold Counterfeit Payday Loan Debt Portfolios
On October 17, the FTC issued a press release announcing a default judgment in an action brought against two Kansas-based operations and their owner (defendants), who allegedly violated the Federal Trade Commission Act by selling lists of counterfeit payday loan debt portfolios to debt collectors. The allegations claimed that in numerous instances, the portfolios listed “loans that the identified lenders have not, in fact, made to the identified consumers,” and that the defendants “have not purchased, or otherwise obtained, any rights to collect loan debts originated by the lenders listed . . ., nor have they engaged in any transaction that authorizes them to collect, sell, distribute, or transfer any valid loans originated by those lenders.” As a result, numerous consumers were contacted by various debt collectors demanding repayment of the fake debts, and in some instances, consumers made payments to either stop the collection calls or because they feared becoming delinquent. Under the terms of the default judgment, the defendants (i) must pay more than $4.1 million as equitable monetary relief; (ii) are banned from handling sensitive financial information, such as “bank account numbers, credit or debit card numbers, or social security numbers”; and (iii) are prohibited from misrepresenting material facts.
FTC Announces Two Separate Settlements to Resolve Allegedly Deceptive Telemarketing Schemes
On September 1, the FTC issued a press release announcing a settlement with a Utah-based operation and its owner (Defendants) to resolve allegations that the company had created merchant accounts to help telemarketers process consumer credit card transactions in violation of the Federal Trade Commission Act (FTC Act) and the Telemarketing Sales Rule (TSR). According to the complaint, Defendants nominated individuals to serve as “principals” of straw companies, which then were used to open merchant accounts to assist telemarketers who did not meet the requirements or standards for opening the accounts on their own. The telemarketers, in turn, allegedly deceived consumers by making false promises regarding business opportunities that they claimed would generate substantial income, and processed credit card payments from consumers using the straw company merchant accounts for the allegedly “worthless opportunities.” Under the terms of the order, Defendants are permanently banned from the payment processing business, including acting as an independent sales organization or sales agent, and must pay a judgment of more than $3 million. The FTC suspended the judgment due to the Defendants’ inability to pay, but noted that it “will become due immediately if [Defendants] are found to have misrepresented their financial condition.”
Separately on August 31, the FTC announced that a default judgment had been issued in a pending action brought against the operators of a deceptive telemarketing scheme who allegedly targeted Spanish-speaking consumers by pretending to be affiliated with the Peruvian government and deceived consumers by giving the impression that the calls were from emergency responders or by people the consumers had provided as references. The allegations, which violated the FTC Act and the TSR, claimed that consumers were presented opportunities to participate in language courses at discounted prices and were misled about prizes they had won. When consumers declined to participate or cancelled delivery of the prizes, the telemarketers made “false and threatening” claims of “legal or financial consequences,” allegedly posing as lawyers or government officials. Under the terms of the default judgment, the telemarketers (i) are ordered to pay $6.3 million as equitable monetary relief; (ii) are banned from telemarketing activities; and (iii) prohibited from misrepresenting material facts.
FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”
According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.
The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.
FTC Enters Consent Order with Final Defendant in Alleged 2015 Debt Collection Scheme
On August 30, the FTC announced a settlement banning the final defendant who had participated in a debt collection scheme from debt collection activities. The settlement stems from a 2015 action against three groups of defendants who allegedly violated the FTC Act and the Fair Debt Collection Practices Act (FDCPA) by engaging in the following activities, among others: (i) attempting to collect debts consumers claimed they did not owe; (ii) impersonating law enforcement to threaten non-compliant consumers with arrests and lawsuits; (iii) harassing friends, family members, and employees in an attempt to collect debts; and (iv) failing to identify themselves as debt collectors. (See previous InfoBytes summary here.) In 2016, the FTC reached separate settlements (here and here) against two of the three groups of debt collectors. In addition to banning the final defendant from debt collection activities, the 2017 action also imposes a $9.39 million judgment to be suspended due to the defendant’s inability to pay. However, the judgment will become immediately due if the defendant is found to have misstated his financial condition.
FTC Files Complaint Against Debt Collection Operation for FTC Act and FDCPA Violations
On August 29, the FTC issued a press release announcing charges against a North Carolina-based debt collection business (defendants) for allegedly using a variety of “trade names” that sound like law firms to threaten individuals if they failed to pay debt they did not actually owe or that the defendants had no right to collect. According to the complaint, the defendants violated the FTC Act by making false, unsubstantiated, or misleading representations regarding debt owed on payday loans or other debts and threatening legal action. Additionally, the defendants allegedly violated the Fair Debt Collection Practices Act by: (i) communicating with consumers “at times or places known or which should be known to be inconvenient to the consumer” or “at the consumer’s place of employment when Defendants knew or had reason to know that the consumer’s employer prohibits the consumer from receiving such communications”; (ii) engaging in “unlawful third-party communications” without obtaining prior consumer consent; (iii) participating in harassing and abusive collection practices; (iv) making false, deceptive, or misleading representations, including by withholding the true status of the debt, impersonating attorneys, threatening legal action, and failing to disclose they were debt collectors; and (v) failing to provide consumers written verification of their debt within the required time frame. A federal judge in the U.S. District Court for the Western District of North Carolina has temporarily restrained and enjoined the defendants’ alleged illegal practices and frozen their assets.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
FTC Announces Settlement with Ride-Sharing Company Over Privacy Allegations
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.