InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Payday lender settles with North Carolina AG for $825,000
On January 27, the North Carolina attorney general announced that a Florida-based payday lender (lender) agreed to pay $825,000 to settle allegations of usury, lending without a license, unlawful debt collection and unfair and deceptive practices in violation of state consumer protection laws. According to the announcement, though the lender was not licensed in the state, it advanced “more than 400 loans online to financially distressed North Carolina consumers at interest rates between 78 to 252 percent,” which is markedly higher than the state interest rate limit of 30 percent. The AG claimed that the lender tried to skirt North Carolina laws by requiring some borrowers to collect their loan funds outside of the state. The AG also alleged that the lender required borrowers to secure the loans with their vehicle titles, which enabled the lender to repossess and sell the borrowers’ vehicles when they defaulted or were late on payments. In the settlement, without admitting to the AG’s allegations, the lender agreed to return to North Carolina borrowers (i) all fees and interest paid on the loans by the borrowers; (ii) all the auction proceeds exceeding the loan principal to borrowers whose vehicles were repossessed and sold at auction; and (iii) cars owned by borrowers that were repossessed but not sold at auction. Among other things, the lender will also be permanently barred from making loans to, and collecting payments from, North Carolina borrowers, and is prohibited from putting liens on and repossessing vehicles owned by borrowers.
Appellate Court reverses and remands FACTA action
On January 22, the Illinois Appellate Court, Second District, reversed the dismissal for lack of standing of a FACTA class action brought on behalf of the class by two individuals (consumers) who claimed that an entertainment company (defendant) violated the act when it printed more than the last five digits of the consumers’ payment card number on their receipts. According to the opinion, the complaint alleged that the consumers made a number of purchases from the defendant, each time receiving sales receipts with the first six digits and the last four digits of the consumers’ debit card printed on each receipt. The consumers then filed a class action suit accusing the defendant of willful violation of FACTA, and further, of knowingly or recklessly failing to adhere to the acts’ prohibition against ‘“print[ing] more than the last 5 digits of the card or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”’ The defendants first removed the action to federal district court, which granted the consumers’ motion to remand back to state court. The defendants then argued that: (i) the consumers lacked standing because they failed to allege an injury; and (ii) the consumers failed to allege facts showing a willful violation of FACTA. The lower court granted the defendant’s motion to dismiss as to standing on the first allegation, but did not consider the second allegation of willfulness, after which the consumers appealed.
Upon appeal, the court reversed the lower court’s dismissal for lack of standing noting that unlike federal courts, Illinois circuit courts are vested with “jurisdiction to adjudicate all controversies,” and determined that the consumers did have standing to sue even without pleading actual injury, as an allegation of the violation was sufficient. The court stated that “when a person willfully fails to comply with FACTA’s truncation requirements, the statute provides a private cause of action for statutory damages and does not require a consumer to suffer actual damages before seeking recourse.” Additionally, the court decided that the consumers had alleged “sufficient facts” to show that defendant willfully violated FACTA. The panel remanded the case to the lower court to further consider the issues.
Illinois AG sues credit repair companies for deceptive practices
On January 13, the Illinois attorney general announced that he filed two separate suits in the Circuit Court of Cook County against two credit repair companies and three individuals who allegedly engaged in deceptive and fraudulent practices when promoting credit repair services to consumers and collecting debts in violation of the Consumer Fraud and Deceptive Business Practices Act, the Credit Services Organization Act, and the Collection Agency Act.
In the first complaint, the AG alleges a credit repair agency is not registered in Illinois as a credit services organization, and that it, along with its owner, a co-defendant, has not filed the statutorily required $100,000 surety bond with the Secretary of State’s office. The AG’s complaint alleges that the company charges unlawful upfront fees while making false promises that it will increase consumers’ credit scores. When the defendants fail to live up to these promises, they subsequently refuse to refund the money that consumers paid for the credit repair services they did not receive.
In the second complaint, the AG makes the same allegations against a different credit repair company, its owner, and a former employee. In addition, the second complaint also alleges that the company operates as a debt collection agency, but does not possess the requisite state license as a collection agency. Further, the complaint claims that, among other things, the defendants extract payments for “completely fabricated” payday loan debt from consumers who do not actually owe on the loans by using threats and other abusive and harassing collection tactics.
The AG seeks a number of remedies including injunctive relief prohibiting all defendants from engaging in any credit repair business, and prohibiting the second company and its owner and employee from engaging in any debt collection business; rescission of consumer contracts; and restitution to all affected consumers.
NYDFS appoints Leandra English to executive team
On January 14, NYDFS Superintendent Linda Lacewell announced that former Deputy Director of the CFPB, Leandra English, will serve as Special Policy Advisor to the Department. In her role, English will report directly to Lacewell and will manage and develop NYDFS’ policy initiatives involving consumers, financial services, and other issues. English will also be responsible for spearheading NYDFS’ policy development and analysis process, and assisting in the identification of common regulatory trends and risks across industries.
Washington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:
- Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
- Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
- State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
- Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
- Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.
The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.
As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)
NYDFS creates Consumer Protection Task Force
On January 9, NYDFS announced the creation of the Consumer Protection Task Force, which will help the department implement the “extensive consumer protections proposals” outlined in the governor’s recent proposal to expand state oversight and enforcement of the financial services industry. (See previous InfoBytes coverage on the governor’s proposal here.) Specifically, the task force will work on measures designed to enhance (i) regulatory oversight of debt collectors; (ii) protections against elder financial abuse; (iii) access to affordable banking services; and (iv) consumer protection laws to defend state residents against unfair, deceptive and abusive practices. Individuals named to the task force were chosen “based on their extensive experience and expertise in the areas of economic justice, housing, health and debt collection, and advocacy on behalf of communities throughout New York.”
ISP pays $15 million to settle with two more states on hidden fees and false advertising
On January 9, the Minnesota attorney general announced that an internet service provider (ISP) agreed to pay nearly $9 million in order to resolve allegations that it overcharged customers for phone, internet and cable services. In a separate action, on December 10, the Washington attorney general’s office announced that it entered into a $6.1 million consent decree with the same ISP to resolve similar claims of deceptive acts and practices. As previously covered by InfoBytes, the ISP entered into settlements over the same alleged actions with the states of Colorado on December 19, and Oregon on December 31.
NCUA releases 2020 supervisory priorities
In January, the NCUA issued a letter to board of directors and chief executive officers at federally insured credit unions outlining the agency’s 2020 supervisory priorities. Top supervisory priorities include:
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Examinations will continue to focus on customer due diligence and beneficial ownership requirements. The NCUA will also collaborate with law enforcement and banking regulators on initiatives such as updates to the FFIEC’s BSA/AML examination manual and enforcement guidelines, guidance concerning politically exposed persons, and measures for improving suspicious activity and currency transaction report filing procedures.
- Consumer Financial Protection. Based on a rotating regulation review cycle, NCUA examiners will review compliance (at a minimum) with the following regulations: the Electronic Fund Transfer Act, Fair Credit Reporting Act, Gramm-Leach-Bailey (Privacy Act), Payday Alternative Lending and other small dollar lending, Truth in Lending Act, Military Lending Act, and the Servicemembers Civil Relief Act.
- Cybersecurity. In 2020 the NCUA will continue conducting cybersecurity maturity assessments for credit unions with assets over $250 million and will begin to assess those with assets over $100 million. In addition, the NCUA intends to pilot new procedures—scaled to an institution’s size and risk profile—to evaluate critical security controls during examinations between maturity assessments.
- LIBOR Cessation Planning. Examiners will assess credit unions’ planning related to the discontinuation of LIBOR. According to the NCUA, credit unions should “proactively transition away from instruments using LIBOR as a reference rate.”
Other areas of focus include credit risk, current expected credit losses, liquidity risk, and modernization updates. The extended examination cycle will continue to apply to qualifying credit unions.
Mortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal information of customers who posted negative reviews on a public website, including customers’ “sources of income, debt-to-income ratios, credit history, taxes, family relationships, and health.” The alleged posts containing negative financial information violated the defendants’ responsibilities under Regulation P (Privacy of Consumer Financial Information) as the required privacy disclosure provided to the customers stated that the defendants would not share personal information with any third party. Regulation P also “prohibits financial institutions from disclosing to any nonaffiliated third party any nonpublic personal information about a customer unless it has provided the customer with an opt-out notice, . . . a reasonable opportunity to opt out of the disclosure, and the customer has not opted out.” In this instance, customers were not given the opportunity to opt out of disclosure of their personal financial information in response to online consumer reviews, the complaint asserts. In addition, the complaint alleges that the defendants also violated the FTC Act by causing unfair or deceptive acts or practices that “deprived consumers of the ability to control whether and to whom they disclosed sensitive information.” The defendants also allegedly violated the FCRA by using consumer reports for impermissible purposes, and the FTC’s Safeguards Rule by failing to implement or maintain an adequate information security program. Under the terms of the proposed settlement, the defendants will pay a $120,000 civil penalty and are prohibited from (i) misrepresenting their privacy and data security practices; (ii) using consumer reports for anything other than a permissible purpose; (iii) not providing required privacy notices; and (iv) improperly disclosing nonpublic personal information to third parties. Among other things, the company is also prohibited from transferring, selling, sharing, collecting, maintaining, or storing nonpublic personal information unless it implements a comprehensive information security program; and must obtain independent third-party assessments of its information security program every two years.
FTC notes data security order improvements
On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first change increases the specificity of data security orders to “make the FTC’s expectations clearer” and “improve order enforceability.” The second change increases the accountability of the third-party assessors who review the comprehensive data security programs that the orders exact, by requiring assessors to include specific evidence for each determination and to accommodate requests from the FTC to review the assessments. The third change emphasizes executive responsibility. Yearly, companies will be required to present their data security programs to board and senior company executives who must certify the company’s compliance to the FTC. The announcement also pointed to a number of 2019 orders to demonstrate the “significant improvements” the agency has made with the three changes.