InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden announces student debt cancellation for borrowers who attended “predatory” institutions
On May 1, the Biden Administration announced the approval of $6.1 billion in student debt cancellation for 317,000 borrowers who attended a system of art schools, which the Administration accused of engaging in deceptive practices and leaving students with significant debt and poor job prospects.
The U.S. Department of Education found the system of art schools and its parent company guilty of significant misrepresentations about the educational value and career prospects following graduation on websites, in print material, and through misleading information from school personnel to prospective students. The school advertised an employment rate of 82 percent within six months of graduation within the field of study; however, a review of the school's records by the Department of Education alleged that graduates were inaccurately counted as employed in their study fields, inflating the figures by as much as 25 percent. Additionally, the school advertised inflated average salaries based on the same incorrect data, with testimonies indicating that school officials fabricated graduates’ earnings. All campuses of the school system closed under separate ownership in September 2023.
DFPI annual report highlights consumer protection efforts and upcoming regulations
On April 25, the California DFPI released its Annual Report of Activity under the California Consumer Financial Protection Law (CCFPL), highlighting investigations, public actions, and consumer outreach efforts under the CCFPL. According to the report, the DFPI (i) experienced a 70 percent increase in CCFPL complaints, which predominantly involved crypto assets and debt collectors; (ii) opened 734 CCFPL-related investigations and issued 181 public CCFPL actions; (iii) launched the Crypto Scam Tracker and a new consumer complaints portal; and (iv) advanced two rules, including unlawful, unfair, deceptive, or abusive acts and practices (UUDAAP) protections for small businesses and new registration requirements (pending final approval by the Office of Administrative Law) for earned wage access, debt settlement services, debt relief services, and private postsecondary education financing products.
The report emphasized that the new regulations specified that optional payments, such as tips, collected by California Financing Law (CFL)-licensed lenders would be considered charges under the law. According to the DFPI, these updates will reinforce the CFL by blocking potential loopholes and ensuring compliance among CFL-licensed lenders. Once these regulations would be approved, DFPI will oversee these financial service providers. Upon adoption, DFPI says it will be a pioneer in defining “earned wage access” as loans and regulating income advance services and the treatment of tips as charges, all through regulatory measures rather than statutory enactment.
FTC alleges ROSCA, GLBA and FTC Act violations against bill payment platform
On April 25, the FTC announced an enforcement action against a third-party bill payment platform and two of its co-founders (defendants) for allegedly running misleading advertisements that intercepted consumers attempting to reach their billers, using “dark patterns” to manipulate the consumers into using the platform under the false belief that they have reached the biller’s official payment site, charging “junk fees” in connection with the processing of payments, and in some cases sending untimely payments to billers. According to the FTC’s complaint, the company allegedly violated the FTC Act by making false or misleading representations that it was an official payment channel for the consumers’ billers. The FTC also claimed defendants violated the Restore Online Shoppers’ Confidence Act by charging consumers for goods or services before clearly and conspicuously disclosing to consumers all material terms of the transaction and obtaining the consumers’ informed consent to be charged, and enrolling consumers into a paid subscription service by automatically ticking a box without warning when consumers clicked on a “User Terms of Service” hyperlink. Additionally, the FTC alleged that the company caused consumers to incur late fees and other inconveniences by failing to make timely payment to consumers’ billers, despite having received timely payment from the consumer. The FTC’s complaint also alleged that defendants used fraudulent statements or representations to obtain consumer information such as bank account numbers, routing numbers, credit card numbers, and debit card numbers in violation of the Gramm-Leach-Bliley Act.
The FTC claimed that defendants received tens of thousands of consumer complaints, inquiries from two state attorney’s general offices, and temporarily lost access to a credit card company’s network due to the complaints, among other warnings regarding its practices. The FTC will seek a permanent injunction, monetary relief, and other relief.
Tennessee amends caller ID law
On April 22, Tennessee enacted HB 2504 (the “Act”), which amends the Tennessee Consumer Protection Act of 1977 to specify that it is illegal for: (i) “[a] person, in connection with a telecommunications service or an interconnected VoIP service, to knowingly cause any caller identification service to transmit misleading or inaccurate caller identification information to a subscriber with the intent to defraud or cause harm to another person or to wrongfully obtain anything of value”; and (ii) “[a] person, on behalf of a debt collector or inbound telemarketer service, to knowingly cause any caller identification service to transmit misleading or inaccurate caller identification information, including caller identification information that does not match the area code of the person or the debt collector or inbound telemarketer service the person is calling on behalf of, or that is not a toll-free phone number, to a subscriber with the intent to induce the subscriber to answer.”
The Act is effective on July 1.
CFPB publishes the mortgage servicer edition of its Supervisory Highlights
On April 24, the CFPB published its 33rd edition of its Supervisory Highlights which covers select examinations and violations regarding mortgage servicing from April 1, 2023, through December 31, 2023. This edition of Supervisory Highlights focused on alleged violations of law identified in CFPB examinations including (i) charging illegal junk fees including impermissible property inspection and late fees; (ii) UDAAP violations; and (iii) violations of Regulation X loss mitigation requirements. The Bureau made clear in its press release that it plans to continue its focus on combatting junk fees within and beyond the mortgage servicing space.
The CFPB highlighted several violations of law resulting from mortgage servicers’ payment processing practices including the charging of property inspection fees in connection with certain Fannie Mae loans in violation of investor guidelines. To rectify this, servicers addressed system errors causing the fees in question, enhanced oversight, and were instructed to compensate affected borrowers. Other payment processing-related violations identified by the Bureau included failure to adequately describe fees in periodic statements by using the term “service fee” to describe 18 different fee types and failure to make timely disbursements from escrow accounts in violation of Regulation X.
The Bureau also identified unfair practices relating to the charging of late fees in excess of the amount authorized in the loan agreement or after consumers had entered into loss mitigation agreements, which should have prevented late fees. Servicers identified as having engaged in such violations were required to refund the fees to consumers and improve internal processes in response to the findings.
The CFPB also identified violations of law relating to loss mitigation and loan modifications. Examiners noted that some servicers failed to provide a written notice confirming the receipt of loss mitigation applications and informing consumers of whether the application was complete or incomplete. Further, some servicers failed to provide timely and complete notices of loss mitigation options. Additionally, some servicers, in violation of Regulation X, failed to waive existing fees after borrowers had accepted Covid-19 hardship loan modifications.
Examiners also found that certain servicers committed deceptive practices by sending out delinquency notices incorrectly stating that consumers had missed payments and needed to apply for loss mitigation when those consumers were actually up to date on their payments, enrolled in trial modification plans, or had inactive loans (such as those already paid off or in the process of a short sale).
Finally, the Bureau identified violations of law relating to (i) live contact and early intervention requirements in connection with delinquency and (ii) failure to retain adequate records.
Tennessee prevents lenders from discriminating against specific factors
On April 22, the Governor of Tennessee signed into law HB 2100 (the “Act”) which amended the state consumer protection codes to prevent financial institutions and insurers (collectively, institutions) from discriminating in the provision or denial of services based on certain enumerated factors. Specifically, institutions will not be allowed to discriminate based on, among others: (i) a person’s political opinions, speech, or affiliations; (ii) a person’s religious beliefs, exercise, or affiliations; (iii) any factor that is not a quantitative, impartial and risk-based standard; or (iv) a “social credit score” that is based on certain identified factors, including the lawful ownership of a firearm, engagement in fossil fuel-related business, support of the state or federal government’s efforts to combat illegal immigration, or a person’s failure to meet environmental, social governance, corporate board composition, social justice, or diversity, equity, and inclusion standards so long as the person is in compliance with applicable state or federal law. The Act provides that engaging in the prohibited forms of discrimination constitutes an unfair trade practice. The Act will go into effect on July 1.
New York AG settles with bank over EIPA violations
On April 17, the New York attorney general (AG) announced a settlement with a bank (respondent) to resolve allegations that respondent improperly froze customer accounts and paid out consumer funds to debt collectors, and failed to properly oversee its service providers engaging in similar activity, in violation of the Exempt Income Protection Act (EIPA). The EIPA requires that banks, among other things, “not restrain consumers’ use of statutorily exempt funds, such as social security benefits, veterans benefits, and disability insurance… in consumers’ bank accounts up to an amount set every three years by New York’s Department of Financial Services.” New York law also bars debt collectors from acquiring funds that include certain government benefits.
According to the settlement, respondent typically employs the assistance of specific third-party servicer providers to market and deliver banking products like debit cards, prepaid cards, payroll cards, or gift cards to consumers while respondent holds the funds loaded onto those cards. Servicer providers administer the program and interact with consumers, including by clearing transactions through a network processor approved by respondent, and generally handling transaction disputes and preparing account statements, while respondent oversees and monitors the program and the service provider while retaining full control of the funds. The AG claimed that respondents failed to ensure its servicer providers complied with the EIPA, and that on numerous occasions, servicer providers allegedly froze accounts holding exempt funds or accounts with balances below legal thresholds, then paid debt collectors with the frozen funds under the instruction of respondent.
According to the AG, respondent’s servicer providers also engaged in deceptive acts and practices by allegedly falsely labeling legal processes as “court orders” instead of documents from debt collectors. Respondents also allegedly provided false information that account freezes could not be lifted even when account balances were below legal thresholds, and falsely claiming only debt collectors could release the freeze. Additionally, servicer providers allegedly directed consumers to debt collectors who often sought deals to release account freezes for a portion of the account balance, despite the freezes being void and subject to the protected wage threshold.
Under the terms of the settlement, respondent will refund $79,664 plus interest to approximately 88 New Yorkers whose funds were wrongfully turned over to debt collectors and amend its policies and procedures. Respondent must also pay a civil money penalty of $627,000, and comply with ongoing monitoring and compliance requirements.
FTC report to Congress suggests legislative enhancements on consumer protection
On April 10, the FTC issued a report addressed to Congress detailing its efforts to collaborate with state attorneys general (AGs) from across the U.S. on consumer protection law enforcement goals. The report, titled “Working Together to Protect Consumers: A Study and Recommendations on FTC Collaboration with the State Attorneys General,” was issued pursuant to the FTC Collaboration Act of 2021 and included legislative recommendations to enhance the FTC’s consumer protection efforts. The report followed a request for information issued by the FTC in June 2023, seeking public comments on how the FTC might improve collaboration with state AGs to protect consumers from fraud and ensure fairness in the marketplace.
The FTC's report was divided into three main sections:
- The first section outlined the existing collaborative practices between the FTC and state AGs, detailing their shared roles in combating frauds and scams, the respective law enforcement authority of the FTC and the AGs, and the ways federal and state enforcers can share the information they gather, including through networks such as the Consumer Sentinel Network consumer complaint database.
- The second section described best practices to ensure effective collaboration between the FTC and state AGs, including strong information-sharing practices and coordination of enforcement actions. It also suggested ways to expand the sharing of technical resources and expertise between federal and state agencies.
- The third section provided legislative recommendations aimed at improving collaboration efforts by providing the FTC with clearer authority to pursue legal actions. This section emphasized a request for Congress to restore the FTC’s authority to seek monetary refunds for consumers who have been defrauded, following a 2021 U.S. Supreme Court decision holding that such relief was not available to the Commission (covered by InfoBytes here). Additionally, this section suggested giving the FTC independent authority to seek civil penalties and clear authority to take legal action against facilitators of unfair or deceptive practices.
In its report to Congress, the FTC emphasized the importance of a collaborative approach to consumer protection among enforcement agencies and states, continuing to seek ways to strengthen its ties with state AGs to address future challenges.
CFPB focuses on in-game video game market and its consumer protection issues
On April 4, the CFPB released a report titled “Banking in video games and virtual worlds” that examined the gaming industry and the consumer financial systems that affect it. The Bureau’s report identified three key findings: (i) a network of financial products and services has entered the gaming industry to leverage and support the transfer of gaming assets and currency; (ii) the increased value of these assets has led to an increase of hacking attempts, account theft, scams, and unauthorized transactions; and (iii) the consumer data collected by gaming companies was bought, sold, and traded between companies, which can pose a risk to gaming customers. As a result, the CFPB will intend to monitor these issues in gaming and other such non-traditional markets to ensure companies comply with federal consumer financial protection laws.
The report noted that the proliferation of gaming and the evolution of the industry to offering in-game purchases and gaming assets has created the need for an infrastructure to enable fiat currency to flow into and out of games and virtual worlds. This can include transactions within the game, trading virtual items with other players, buying products on secondary markets, converting gaming assets to traditional currency, withdrawals of that currency, and/or using third parties to convert and withdraw the currency. As a result, companies have established financial products and services that increasingly resemble traditional financial products, like loans, payment processing, and money transmission.
In addition to the gaming economy creating a relatively new and unregulated financial marketplace, the Bureau identified additional risks similar to those found in the traditional market surrounding fraud, identity theft, money laundering, and privacy. For example, the report noted that these highly valuable gaming assets have made player accounts vulnerable to phishing and hacking attempts as well as unauthorized transactions. However, efforts by the FTC or CFPB to address complaints related to this activity have been met with a “buyer beware” approach by gaming companies.
Further, gaming companies collect a significant amount of data on players as a way to personalize the experience. However, the companies use this data to monetize gameplay to entice more spending as well as buy, sell and trade this data. The report noted that (i) the use of personal data can result in highly individualized pricing and (ii) the storage and transfer of consumer data poses privacy risks for gamers. In light of these various issues, the CFPB plans to work with other agencies to monitor both these non-traditional financial products and services as well as the companies that collect and sell sensitive consumer data.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.