InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court files temporary restraining order to stop scammers in FTC suit
On August 21, the FTC announced it has stopped California-based scammers (defendants) who allegedly preyed on students seeking debt relief by pretending to be affiliated with the Department of Education. According to the August 14 complaint, since at least 2019, the defendants allegedly targeted students and illegally collected $8.8 million in advance fees in exchange for student loan debt relief services that did not exist. The defendants allegedly misled consumers by charging them for services that are free through the Department of Education, claiming consumers needed to pay fees or make payments to access federal student loan forgiveness, using names like "Biden Loan Forgiveness," that does not correspond to any actual government program. For instance, one consumer was asked to pay $375 for a processing fee to have up to $20,000 in loans forgiven because of a Pell Grant. Another was told they would get a $10,000 reduction in their loan balance and a new repayment plan with six $250 monthly payments under the “student loan forgiveness program.” The FTC alleges violations of Section 5 of the FTC Act, which prohibits deceptive acts or practices, TCPA, and the Gramm-Leach-Bliley Act. The complaint also alleges that the defendants used such misrepresentations to illegally obtain consumers’ banking information, and typically collected hundreds of dollars in unlawful advance fees—sometimes through remotely created checks in violation of the Telemarketing Sales Rule. The U.S. District Court of the Central District of California filed a temporary restraining order, resulting in an asset freeze, among other things. The FTC seeks preliminary, and permanent injunctive relief, monetary relief, and other relief.
CFPB sues installment lending conglomerate
On August 22, the CFPB announced it is suing a lending company and its subsidiaries that provide installment loans as a refinance option to consumers who have difficulty paying their existing loans. According to the complaint, the Bureau claims that through an array of underwriting, sales, and servicing practices, the company would encourage consumers with limited loan options to repeatedly refinance their existing loans, securing fees with each successful round of refinancing. The CFPB alleges the company and its subsidiaries generated over 40 percent of its net revenue through the loan costs and fees it derived from “churning” consumers in repeated refinances. The complaint includes details of the sales tactics, and how a district supervisor “plainly tells their employees that if they don’t refinance their delinquent customers, they’re not going to meet their monthly growth goals.” In addition, the company allegedly marketed the option to refinance existing loans as a “fresh start” and “solution” to their problems. The Bureau alleges that the company violated CFPA and engaged in unfair and abusive acts and practices.
The Bureau seeks redress for consumers, injunctive relief, and a civil money penalty.
District court declines to reconsider BIPA accrual ruling
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its photo service as closely as it protected other types of data and violated its own policy governing biometric identifier storage. BIPA requires companies to store, transmit, and protect biometric data using the reasonable standard of care within the company’s industry and to protect that data in either the same or more protective manner as it protects other types of confidential data.
In permitting the complaint to move forward, the court noted that the defendant’s internal documents allegedly show that it made minimal investment in its photo service and made no attempt to identify flaws in the system. Further, the court referred to allegations in the complaint that the defendant devotes fewer resources and staffing to protecting the photo service. The court noted that the allegations were sufficient because the lack of protocols made consumers’ critical metadata “vulnerable to attacks.”
In granting the motion related to violation of the defendant’s policies, the court noted that plaintiffs did not show they were personally injured by the alleged violation. The defendant’s policy requires it to delete files for accounts that have been abandoned for two years, for which image recognition was disabled, or where user deleted their photo account. However, the court concluded that the complaint did not allege that plaintiffs did any of these actions.
Chopra announces rulemaking for data brokers
On August 15, CFPB Director Rohit Chopra delivered remarks at the White House Roundtable on the harms of data broker practices. Referencing the prevalence of artificial intelligence in data surveillance, Chopra highlighted a common practice employed by companies: the gathering, leveraging, and sharing of data concerning consumers, including individual pieces of data or consumer profiles, without consumers’ awareness with third parties that employ AI to formulate forecasts and decisions. These detailed data sets can also easily be exploited by bad actors, Chopra warned. Chopra announced that after conducting an inquiry into data broker practices, the Bureau will endeavor to make rules regulating data broker surveillance to ensure sensitive data is not misused and on par with FCRA requirements.
Two proposals are being considered: the first proposal would define the term “consumer reporting agency” to include a data broker that sells certain types of consumer data, thereby triggering requirements to ensure accuracy and to govern disputes concerning the reporting of inaccurate information. The second proposal will address existing confusion by clarifying the existing confusion concerning “the extent to which credit header data constitutes a consumer report, [and] reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.” The rulemaking will also complement efforts put forth by the FTC.
District Court splits order against crypto platform
On August 11, a split U.S District Court of the Southern District of New York partially granted and partially denied a crypto platform’s (defendant) motion to dismiss most charges for failure to state a claim upon which relief can be granted. Four months after plaintiff opened an account with defendant, a hacker siphoned approximately $5 million worth of Bitcoin from the account. Between the time the hacker accessed the account and withdrew the Bitcoin, plaintiff contacted the platform about being locked out of the account, to which defendant responded that the password change email could be in plaintiff’s spam folder. The complaint alleged that had the company locked the account, plaintiff would still have access to their Bitcoin, and that the platform has a duty to protect its customers’ assets and accounts. Among other things, the complaint also alleged that the platform violated the Electronic Fund Transfer Act (EFTA), the New York General Business Law, and the Michigan Consumer Protection Act.
In its motion to dismiss, defendant argued that Regulation E does not apply to the platform because the EFTA language does not explicitly cover cryptocurrency and only references denominations of the U.S. dollar. Although a separate case against the same defendant determined EFTA did apply to the platform since the statute’s “funds” reference could reasonably cover cryptocurrency (covered by InfoBytes here), the judge’s order focused on, “electronic fund transfer”. The court more closely considered the purpose of the account, expressing uncertainty as to whether it was for personal, family, or household purposes. The court found that the definition of an “account” under EFTA does not include plaintiff’s electronic fund transfer account which was established for investment purposes. In the previous case against the same defendant, the court held that the defendant deceived the users regarding its security measures, but the judge presiding over this case disagreed. The court cut the claims of misrepresentation finding that plaintiff failed to allege that the statements were false at the time they were made. The order denies two claims: (i) that the defendant misrepresented its security level; and (ii) that the defendant failed to meet EFTA requirements and its implementing Regulation E, because investment purposes accounts are precluded from the statute’s protections. The court granted the other four counts.
Judge stays CFPB, NY AG lawsuit against auto lender
On August 7, the U.S. District Court for the Southern District of New York granted a defendant’s motion to stay a lawsuit against an alleged predatory auto lender until the Supreme Court determines the constitutionality of the CFPB’s funding in a separate lawsuit (CFSA Case; covered by InfoBytes here).
The CFPB and the New York Attorney General (AG) brought the complaint in January, accusing the lender of UDAAP and TILA violations that involved tricking consumers into loans financing used cars with high interest rates (typically above 22 percent) and add-on products they could not afford. The CFPB and AG alleged the dealers affiliated with the company (i) engaged in deceptive conduct; (ii) used high pressures sales tactics; (iii) pressured consumers into unaffordable auto loans; (iv) pressured family and friends to cosign the loans; (v) withheld prices of vehicles; and (vi) misrepresented key financial terms of the purchase, violating the CFPB, the Martin Act, and fraud and UDAP statutes, among other allegations.
In its decision, the district court reasoned that the stay awaiting the Supreme Court’s decision would (i) allow for clarity and guidance on the legal issues at hand and it may help the defendant avoid unnecessary litigation costs; and (ii) promote judicial efficiency and minimize the possibility of conflicts with other courts. Furthermore, the court determined that although it would be in the public interest to enforce consumer protection laws, the potential harm to the public caused by the stay is outweighed by the benefit to consumers “in proceeding in a streamlined fashion.” The order requires the parties to file a joint letter updating the court by the earlier of November 3 or one week after a major development in the CFSA case.
Tech giant denied summary judgment in private browsing lawsuit
On August 7, the U.S. District Court for the Northern District of California entered an order denying a multinational technology company’s motion for summary judgment on claims that the company invaded consumers’ privacy by tracking the consumers’ browsing history in the company’s private browsing mode. After reviewing the company’s disclosed general terms of service and privacy notices and disclosures, the court found that the company never explicitly told users that it would be collecting their data while browsing in private mode. Without evidence that the company explicitly told users of this practice, the court concluded that it could not “find as a matter of law that users explicitly consented to the at-issue data collection,” and therefore, could not grant the company’s motion for summary judgment.
Plaintiffs, who are account holders (Class 1 for Incognito users and Class 2 for users of other private browsing modes), brought a class action suit against the company for the “surreptitious interception and collection of personal and sensitive user data” while the users were in a “private browsing mode.” Along with invasion of privacy, intrusion upon seclusion, and breach of contract, plaintiffs asserted violations of (i) the Federal Wiretap Act; (ii) The California Invasion of Privacy Act; (iii) Comprehensive Data Access and Fraud Act; and (iv) California’s Unfair Competition Law.
The court previously denied the defendant’s two motions to dismiss.
Senate Banking Committee holds hearing on account fees
On July 26, the Senate Banking Committee held a hearing regarding “fees and tactics impacting Americans’ wallets” in relation to financial services and the role of the CFPB in addressing harmful fees. Leading the hearing, Senator Raphael Warnock (D-GA), chairman of the committee, explained that some “excessively high” and unclear fees do not serve an economic value, referring to these as “junk fees.” Senator Warnock shared that 1/3 of households that do not use banks cite high fees as their reason for continuing without a bank account. Senator Thom Tillis (R-N.C.) criticized the CFPB’s attempts at avoiding the oversight of the Administrative Procedures Act in the rule-making process by mislabeling its actions. Tillis added that after the 2008 financial crisis, regulators emphasized the importance of overdraft revenue as, “an appropriate tool for ensuring the stability of the bank’s balance sheets.” He then criticized the shift in guidance, as the CFPB looks to reprimand banks who follow “the established prudential standards for the crime of listening to their previous federal regulators.” He also claimed that the Bureau does not have proper jurisdiction, resources, or staff to make such decisions.
Pennsylvania Attorney General Michelle Henry testified about recent enforcement actions she has taken, including a recently filed suit against a Wall Street private equity-owned installment lender, who allegedly charged consumers “junk fees” for low-value or valueless add-on products. Henry also mentioned entering into a settlement relating to a bank charging “junk fees” in connection with auto finance products. Brian Johnson, a financial regulatory compliance specialist and former deputy director of the CFPB, claimed that the agencies and the White House have failed to provide a consistent definition for the “junk fees” that could subject institutions to scrutiny, and criticized the CFPB, saying that it does not follow its own regulations and laws governing how agencies make rules by publishing interpretive rules as policy statements in bulletins. A final topic raised by Senator Tina Smith (D-MN) regarded land contracts and lease-to-purchase or rent-to-own agreements that she claimed can be exploitative towards underserved communities. Smith noted that such contacts are “designed to fail,” noting that more than 80 percent of the time, people lose all their equity because they do not make it to the last payment of the contract.
FCC warns provider to stop transmitting illegal robocalls
On August 1, the FCC’s Enforcement Bureau notified a gateway intermediate provider and originator that it is allegedly transmitting and originating illegal robocalls, which could result in the FCC permitting downstream service providers to block its traffic permanently if it fails to take action. The illegal robocalls allegedly involved attempts to engage with consumers by informing consumers of fake purchase orders or asking them to confirm their order. Noting that the provider is “closely connected” to two other entities that had previously received similar enforcement letters, the FCC warned that continually changing corporate formations and serving those same entities and related principals could constitute “willful attempts to circumvent the law to originate and carry illegal traffic.” Among other things, the provider is required to investigate the identified transmissions, block all of the identified traffic if the investigation confirms that the entity served as the gateway provider for the illegal transmissions, and report the results to the FCC’s enforcement bureau.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.