Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC alleges ROSCA, GLBA and FTC Act violations against bill payment platform

    Federal Issues

    On April 25, the FTC announced an enforcement action against a third-party bill payment platform and two of its co-founders (defendants) for allegedly running misleading advertisements that intercepted consumers attempting to reach their billers, using “dark patterns” to manipulate the consumers into using the platform under the false belief that they have reached the biller’s official payment site, charging “junk fees” in connection with the processing of payments, and in some cases sending untimely payments to billers. According to the FTC’s complaint, the company allegedly violated the FTC Act by making false or misleading representations that it was an official payment channel for the consumers’ billers. The FTC also claimed defendants violated the Restore Online Shoppers’ Confidence Act by charging consumers for goods or services before clearly and conspicuously disclosing to consumers all material terms of the transaction and obtaining the consumers’ informed consent to be charged, and enrolling consumers into a paid subscription service by automatically ticking a box without warning when consumers clicked on a “User Terms of Service” hyperlink. Additionally, the FTC alleged that the company caused consumers to incur late fees and other inconveniences by failing to make timely payment to consumers’ billers, despite having received timely payment from the consumer. The FTC’s complaint also alleged that defendants used fraudulent statements or representations to obtain consumer information such as bank account numbers, routing numbers, credit card numbers, and debit card numbers in violation of the Gramm-Leach-Bliley Act.

    The FTC claimed that defendants received tens of thousands of consumer complaints, inquiries from two state attorney’s general offices, and temporarily lost access to a credit card company’s network due to the complaints, among other warnings regarding its practices. The FTC will seek a permanent injunction, monetary relief, and other relief.

    Federal Issues FTC Enforcement ROSCA GLBA Junk Fees FTC Act Consumer Protection Third-Party

  • FDIC issues February enforcement action against New York bank for lack of effective third-party oversight

    On March 29, the FDIC released its list of February 2024 enforcement actions, which included a consent order against a New York digital bank in which the FDIC alleged a lack of sufficient oversight of the bank’s third-party relationships. According to the consent order, the bank allegedly engaged in unsafe and unsound banking practices due to a lack of internal controls appropriate to the bank’s size and risk of its third-party relationships, and weaknesses in board oversight of asset growth and management, among other issues. The FDIC further alleged that the bank violated several laws including BSA, EFTA, and TISA.

    The FDIC ordered the bank’s board to increase its oversight of the bank’s management and the bank’s financial condition commensurate with the size of the bank and the risk of its third-party relationships. Further, the FDIC ordered the board to correct or eliminate any unsafe banking practices or violations of the law. On data and systems, the FDIC ordered the bank to conduct a data and systems review and develop a written action plan to address any deficiencies or weaknesses. Notably for the bank’s third-party relationships, the FDIC ordered that the bank’s procedures, data, and systems include “clear lines of authority” responsible for monitoring bank procedures and effective risk assessments. Finally, among other things, the FDIC ordered the bank to implement look-back reviews and have its board review the bank’s program to ensure compliance with consumer-related laws. 

    Bank Regulatory Enforcement FDIC Third-Party Bank Secrecy Act EFTA New York

  • DFPI fines online platform for omitting convenience fee disclosures

    State Issues

    On January 9, DFPI issued a consent order against an online platform (respondent) that enables merchants to provide installment contracts to customers. The consent order resolved alleged violations of the California Consumer Financial Protection Law (CCFPL) arising from the convenience fees assessed by a third-party service provider when consumers opt to pay their installments online or by phone. According to the consent order, since 2021 respondent guaranteed that consumers entering into contracts on its platform had a fee-free payment method. However, for a time respondent failed to disclose potential optional convenience fees in the initial contract. Although the third-party servicer disclosed the convenience fees to consumers, DFPI took issue with the respondent’s failure to disclose these fees before transferring consumers to the third-party servicer to enter into the contracts. In other words, consumers only became aware of both the existence and amounts of these fees after entering into contractual obligations. DFPI accused respondent of deceiving consumers by failing to disclose this information first.

    Under the terms of the consent order, respondent must pay a $50,000 penalty and must disclose information about the potential convenience fees that may be assessed by a servicer.

    State Issues California DFPI CCFPL Enforcement Disclosures Third-Party Consumer Finance

  • FSB report addresses financial risk concerns with third-party relationships

    Agency Rule-Making & Guidance

    On December 4, the Financial Stability Board (FSB) published a report titled “Enhancing Third-Party Risk Management and Oversight: A Toolkit for Financial Institutions and Financial Authorities,” as summarized in this press release. The report provides a toolkit that: (i) defines common terms to improve consistency among financial institutions, including “third-party service relationship,” “service provider,” and “critical service,” among others; (ii) outlines tools for financial institutions to identify critical third-party services and manage potential risks throughout the service lifecycle, onboarding and monitoring of service providers, and reporting incidents, among others; and (iii) outlines tools for financial authorities to manage third-party risks, including how to identify third-party dependencies and potential systemic risks. In preparing the report, the FSB received public feedback over the past summer regarding risk concerns stemming from outsourcing and third-party service relationships.

    Agency Rule-Making & Guidance FSB Third-Party Third-Party Risk Management Of Interest to Non-US Persons Financial Institutions

  • FTC fines two companies $6M for inaccurate background reports

    Federal Issues

    The FTC fined two companies that sell consumer background reports through subscriptions for violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). In addition to allegedly claiming, without substantiation, to have the most accurate reports available to the public, the complaint says two companies deceptively claimed individuals had criminal or arrest records when the individual did not; deceptively claimed consumers can remove information or flag it as inaccurate, and deceptively failed to disclose that third-party reviews were incentivized and biased.

    The companies also furnished consumer reports to subscribers “without reason to believe those subscribers have permissible purposes to obtain such reports.”

    The stipulated order requires the companies to pay a civil penalty of $5.8 million, prohibits them from advertising, marketing, promoting, or offering for sale certain reports including arrest records, bankruptcy records, and eviction records until the establish and implement a comprehensive monitoring program, and prohibits them from continuing any of the deceptive practices set forth in the complaint.

    Federal Issues FTC Enforcement FTC Act FCRA Consumer Reporting Deceptive Third-Party

  • Judge grants MSJ in class action over disputed debt investigation


    On July 28, the U.S. District Court for the Southern District of Alabama granted summary judgment in favor of a defendant third-party debt collector in an FCRA and FDCPA putative class action, holding that the defendant carried out a reasonable investigation following plaintiff’s dispute of the debt it had reported to credit reporting agencies (CRAs) and that the plaintiff failed to establish that the defendant knew or should have known that the debt was inaccurate or invalid. Defendant entered into an asset purchase agreement with another third-party debt collector and reported debts to credit reporting agencies under the name of the non-defendant third-party debt collector, including an account erroneously associated with plaintiff. When defendant received notice that plaintiff disputed the erroneous account information, defendant verified the account information in its system and provided by the CRA, asked the creditor to provide account documentation, and then requested that the CRAs delete their reporting of the account once the creditor failed to provide account documentation within the requested thirty-day period.

    In relation to the FCRA claim, the court found that the defendant “did everything required by the FCRA in response to Plaintiff’s dispute” such that the plaintiff “failed to establish how this investigation was not reasonable” or in violation of the FCRA. The court also found that plaintiff “failed to show that any different result would have occurred had [defendant] conducted any part of its investigation differently.” Finally, plaintiff’s claim failed as a matter of law concerning defendant’s initial report of the debt to the CRAs because the defendant was not required under the FCRA to “investigate the validity of a debt before commencing to report on that account to the CRAs.” While the defendant was prohibited from reporting inaccurate consumer information, no private cause of action exists for violations of this initial reporting provision of the FCRA.

    For the FDCPA claim, the court held that the plaintiff failed to establish that the defendant had knowledge that the debt it reported was not accurate or was otherwise disputed or invalid. Because the CFPB passed Regulation F in November 2021, after the events at question in this litigation, furnishing information regarding a debt to a CRA before communication with plaintiff was not unlawful at that time. Finally, the court found that plaintiff failed to timely assert that defendant violated the FDCPA provision prohibiting false, deceptive, or misleading representation by using the non-defendant third-party debt collector’s name when reporting the account to the CRAs because this allegation was not present in plaintiff’s complaint.

    Courts Third-Party Debt Collection FCRA FDCPA Alabama Credit Reporting Agency Class Action

  • FTC fines company $7.8 million over health data and third-party advertisers

    Federal Issues

    On July 14, the FTC finalized an order against an online counseling service, requiring it to pay $7.8 million and prohibiting the sharing of consumers’ health data for advertising purposes. The FTC alleged that the respondent shared consumers’ sensitive health data with third parties despite promising to keep such information private (covered by InfoBytes here). The FTC said it will use the settlement funds to provide partial refunds to affected consumers. The order not only bans the respondent from disclosing health data for advertising and marketing purposes but also prohibits the sharing of consumers’ personal information for re-targeting. The order also stipulates that the respondent must now obtain consumers’ affirmative express consent before disclosing personal information, implement a comprehensive privacy program with certain data protection measures, instruct third parties to delete shared data, and adhere to a data retention schedule.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement Consumer Protection Telehealth FTC Act Deceptive Advertisement Third-Party

  • Texas enacts data broker requirements

    State Issues

    The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.

    The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.

    The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.

    State Issues Privacy, Cyber Risk & Data Security State Legislation Texas Data Brokers Third-Party

  • NCUA annual report to Congress covers cybersecurity

    Privacy, Cyber Risk & Data Security

    On June 28, the NCUA released its annual report on cybersecurity and credit union system resilience to the House and Senate banking committees. The report outlines measures the agency has taken to strengthen cybersecurity within the credit union system, outlines significant risks and challenges facing the financial system due to the NCUA’s lack of authority over third-party vendors, and addresses current and emerging threats. Explaining that cybersecurity is one of the NCUA’s top supervisory priorities with cyberattacks being a top-tier risk under the agency’s enterprise risk management program, the report discusses ways the NCUA continues to enhance the cybersecurity resilience of federally insured credit unions (FICUs). Measures include continually improving the agency’s examination program, providing training and support, and implementing a final rule in February, which requires FICUs to report any cyberattacks that disrupt its business operations, vital member services, or a member information system as soon as possible (and no later than 72 hours) after the FICU’s “reasonable belief that it has experienced a cyberattack.” The final rule takes effect September 1. (Covered by InfoBytes here.) The report also raises concerns regarding the NCUA’s lack of authority over third-party vendors that provide services to FICUs. Calling this a “regulatory blind spot” with the potential to create significant risks and challenges, the agency stresses that one of its top requests to Congress is to restore the authority that permits the agency to examine third-party vendors.

    Privacy, Cyber Risk & Data Security Federal Issues NCUA Credit Union House Financial Services Committee Senate Banking Committee Third-Party

  • Agencies flag intermediaries in evading Russia-related sanctions

    Financial Crimes

    On March 2, the DOJ, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), and the Department of Commerce’s Bureau of Industry and Security (BIS) issued a joint compliance note on the use of third-party intermediaries or transshipment points to evade Russian- and Belarussian-related sanctions and export controls. This is the first collective effort taken by the three agencies to inform the international community, the private sector, and the public about efforts taken by malign actors to evade sanctions and export controls in order to provide support for Russia’s war against Ukraine. The compliance note outlines enforcement trends and details attempts made by Russia “to circumvent restrictions, disguise the involvement of Specially Designated Nationals and Blocked Persons [] or parties on the Entity List in transactions, and obscure the true identities of Russian end users.” The compliance note also provides common red flags indicating whether a third-party intermediary may be engaged in efforts to evade sanctions or export controls, and outlines guidance for companies on maintaining effective, risk-based sanctions and export compliance programs. The agencies highlight other measures taken to constrain Russia, including stringent export controls imposed by BIS to restrict Russia’s access to technologies and other items, sanctions and civil money penalties issued against U.S. persons who violate OFAC sanctions and non-U.S. persons who cause U.S. persons to violate Russian sanctions programs, and the DOJ’s interagency law enforcement task force, Task Force KleptoCapture, which enforces sanctions, export controls, and economic countermeasures imposed by the U.S. and foreign allies and partners.

    Financial Crimes Of Interest to Non-US Persons OFAC OFAC Designations OFAC Sanctions Russia Ukraine Ukraine Invasion Department of Treasury DOJ Department of Commerce Third-Party


Upcoming Events