Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 30, a California Appeals Court (Appeals Court) reversed a lower court’s ruling that a mere alleged debt, whether or not actually due or owing – as opposed to a debt that is, in fact, actually due or owing – is insufficient to state a claim under the Rosenthal Fair Debt Collection Practices Act (Rosenthal Act). Enacted in 1977, the Rosenthal Act aims “to prohibit debt collectors from engaging in unfair or deceptive acts or practices in the collection of consumer debts.” Plaintiff purchased a home with a previously-installed solar energy system. The previous homeowner and plaintiff reached an agreement whereby the prior homeowner would purchase the energy produced through the system through monthly payments. However, the defendant, the provider of the solar energy system, sent late payment notices to plaintiff demanding that he make monthly payments. Although plaintiff did not engage in a “consumer credit transaction” with the defendant, the Appeals Court found that the plaintiff’s receipt of statements and notices from the defendant constituted money “alleged to be due or owing,” as required to state a claim under the Rosenthal Act. In holding that the plaintiff’s claim “has merit,” the Appeals Court emphasized that the Rosenthal Act was specifically designed to “eliminate the recurring problem of debt collectors dunning the wrong person or attempting to collect debts which the consumer has already paid,” and “[i]t is difficult to conceive of a more unfair debt collection practice than dunning the wrong person”.
On September 5, the FDIC released the list of nonmember banks examined for compliance with the Community Reinvestment Act (CRA), which is intended to “encourage insured banks and thrifts to meet local credit needs.” Included in the list was a fintech bank that the FDIC rated as “Needs to Improve” for reasons involving its overall record of helping meet the credit needs of underserved communities. According to the FDIC’s CRA performance evaluation of the Utah-based bank, the FDIC adjusted the CRA rating from “Satisfactory” to “Needs to Improve” due to illegal credit practices that resulted in violations of Section 5 of the FTC Act, Unfair or Deceptive Acts or Practices that were present during the time of the evaluation period. The FDIC found that the bank’s actions impacted a significant number of customers across the bank’s fuel card programs, and that the practices were sustained for multiple years. The FDIC also noted that, after the bank was notified of the violations, it implemented corrective measures, including customer restitution.
On August 22, the CFPB announced it is suing a lending company and its subsidiaries that provide installment loans as a refinance option to consumers who have difficulty paying their existing loans. According to the complaint, the Bureau claims that through an array of underwriting, sales, and servicing practices, the company would encourage consumers with limited loan options to repeatedly refinance their existing loans, securing fees with each successful round of refinancing. The CFPB alleges the company and its subsidiaries generated over 40 percent of its net revenue through the loan costs and fees it derived from “churning” consumers in repeated refinances. The complaint includes details of the sales tactics, and how a district supervisor “plainly tells their employees that if they don’t refinance their delinquent customers, they’re not going to meet their monthly growth goals.” In addition, the company allegedly marketed the option to refinance existing loans as a “fresh start” and “solution” to their problems. The Bureau alleges that the company violated CFPA and engaged in unfair and abusive acts and practices.
The Bureau seeks redress for consumers, injunctive relief, and a civil money penalty.
On July 26, the CFPB released its Summer 2023 issue of Supervisory Highlights, which covers enforcement actions in areas such as auto origination, auto servicing, consumer reporting, debt collection, deposits, fair lending, information technology, mortgage origination, mortgage servicing, payday lending and remittances from June 2022 through March 2023. The Bureau noted significant findings regarding unfair, deceptive, and abusive acts or practices and findings across many consumer financial products, as well as new examinations on nonbanks.
- Auto Origination: The CFPB examined auto finance origination practices of several institutions and found deceptive marketing of auto loans. For example, loan advertisements showcased cars larger and newer than the products for which actual loan offers were available, which misled consumers.
- Auto Servicing: The Bureau’s examiners identified unfair and abusive practices at auto servicers related to charging interest on inflated loan balances resulting from fraudulent inclusion of non-existent options. It also found that servicers collected interest on the artificially inflated amounts without refunding consumers for the excess interest paid. Examiners further reported that auto servicers engaged in unfair and abusive practices by canceling automatic payments without sufficient notice, leading to missed payments and late fee assessments. Additionally, some servicers allegedly engaged in cross-collateralization, requiring consumers to pay other unrelated debts to redeem their repossessed vehicles.
- Consumer Reporting: The Bureau’s examiners found that consumer reporting companies failed to maintain proper procedures to limit furnishing reports to individuals with permissible purposes. They also found that furnishers violated regulations by not reviewing and updating policies, neglecting reasonable investigations of direct disputes, and failing to notify consumers of frivolous disputes or provide accurate address disclosures for consumer notices.
- Debt Collection: The CFPB's examinations of debt collectors (large depository institutions, nonbanks that are larger participants in the consumer debt collection market, and nonbanks that are service providers to certain covered persons) uncovered violations of the FDCPA and CFPA, such as unlawful attempts to collect medical debt and deceptive representations about interest payments.
- Deposits: The CFPB's examinations of financial institutions revealed unfair acts or practices related to the assessment of both nonsufficient funds and line of credit transfer fees on the same transaction. The Bureau reported that this practice resulted in double fees being charged for denied transactions.
- Fair Lending: Recent examinations through the CFPB's fair lending supervision program found violations of ECOA and Regulation B, including pricing discrimination in granting pricing exceptions based on competitive offers and discriminatory lending restrictions related to criminal history and public assistance income.
- Information Technology: Bureau examiners found that certain institutions engaged in unfair acts by lacking adequate information technology security controls, leading to cyberattacks and fraudulent withdrawals from thousands of consumer accounts, causing substantial harm to consumers.
- Mortgage Origination: Examiners found that certain institutions violated Regulation Z by differentiating loan originator compensation based on product types and failing to accurately reflect the terms of the legal obligation on loan disclosures.
- Mortgage Servicing: Examiners identified UDAAP and regulatory violations at mortgage servicers, including violations related to loss mitigation timing, misrepresenting loss mitigation application response times, continuity of contact procedures, Spanish-language acknowledgment notices, and failure to provide critical loss mitigation information. Additionally, some servicers reportedly failed to credit payments sent to prior servicers after a transfer and did not maintain policies to identify missing information after a transfer.
- Payday Lending: The CFPB identified unfair, deceptive, and abusive acts or practices, including unreasonable limitations on collection communications, false collection threats, unauthorized wage deductions, misrepresentations regarding debt payment impact, and failure to comply with the Military Lending Act. The report also highlighted that lenders reportedly failed to retain evidence of compliance with disclosure requirements under Regulation Z. In response, the Bureau directed lenders to cease deceptive practices, revise contract language, and update compliance procedures to ensure regulatory compliance.
- Remittances: The CFPB evaluated both depository and non-depository institutions for compliance with the EFTA and its Regulation E, including the Remittance Rule. Examiners found that some institutions failed to develop written policies and procedures to ensure compliance with the Remittance Rule's error resolution requirements, using inadequate substitutes or policies without proper implementation.
On July 18, NYDFS sent a letter reminding regulated auto lenders and auto loan servicers that they are responsible for ensuring certain rebates are credited to consumers whose vehicles were repossessed or were a total loss. During its examinations, NYDFS identified instances where certain institutions that finance ancillary products, such as extended warranties, vehicle service contracts, and guaranteed asset protection insurance, failed to properly calculate, obtain, and credit rebates to consumers as required. NYDFS explained that the terms of sale for such ancillary products “provide that if the vehicle is repossessed or is a total loss prior to the product’s expiration, the consumer is entitled to a rebate for the prorated, unused value of the product (a ‘Rebate’), payable first to the [i]nstitution to cover any deficiency balance, and then to the consumer.” NYDFS found that some institutions either neglected to pursue Rebates from the issuers of the ancillary products or miscalculated the owed amounts, adding that in some instances, institutions made initial requests for Rebates but did not follow through to ensure that they were received and credited to consumers.
NYDFS explained that an institution’s failure to obtain and credit Rebates from unexpired ancillary products is considered to be unfair “because it causes or is likely to cause substantial injury to consumers who are made to pay or defend themselves against deficiency balances in excess of what the consumer legally owes.” The resulting injury caused to consumers is not outweighed by any countervailing benefits to consumers or to competition, NYDFS stressed.
Additionally, NYDFS said an institution’s statements and claims of consumers’ deficiency balances that do not include correctly calculated and applied Rebates are considered to be deceptive, as they mislead consumers about the amount they owe after considering all setoffs. NYDFS said it expects institutions to fulfill their contractual obligations by ensuring Rebates are properly accounted for, either by deducting them from deficiency balances or issuing refund checks if no deficiency balance is owed.
NYDFS further noted in its announcement that recent CFPB examinations found that certain auto loan servicers engaged in deceptive practices when they notified consumers of deficiency balances that misrepresented the inclusion of credits or rebates. The Bureau’s supervisory highlights from Winter 2019, Summer 2021, and Spring 2022 also revealed that collecting or attempting to collect miscalculated deficiency balances that failed to account for a lender’s entitled pro-rata refund constituted an unfair practice.
On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.
The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.
According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.
The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.
On June 27, the CFPB entered a consent order against a Nebraska-based payment processor and its Delaware-based subsidiary for alleged violations of the EFTA (Regulation E), and the Consumer Financial Protection Act’s prohibition against unfair acts and practices. According to the Bureau, in 2021 the respondent’s employees allegedly used sensitive consumer financial information while conducting internal testing, without employing the proper information safety protocols. The internal tests allegedly created payment processing files that were treated as containing legitimate consumer bill payment orders. According to the Bureau, the erroneous bill payment orders were allegedly sent to consumers’ banks for processing, which resulted in approximately $2.3 billion in mortgage payments being debited from nearly 500,000 borrower bank accounts without their knowledge or authorization. The Bureau alleged in its order that some consumers accounts were depleted, “depriving Affected Consumers of the use of their funds, including by being prevented from making purchases or completing other legitimate transactions, and many were charged fees, including fees for insufficient funds or overdrawn accounts.” While neither admitting nor denying any of the allegations, the respondent has agreed to pay a $25 million penalty, stop activities the Bureau deemed unlawful, and adopt and enforce reasonable information security practices.
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here) warning health apps and connected devices collecting or using consumers’ health information that they must comply with the Rule and notify consumers and others if a consumer’s health data is breached. The Rule also ensures that entities not covered by HIPAA are held accountable in the event of a security breach. The NPRM proposed several changes to the Rule, including modifying the definition of “[personal health records (PHR)] identifiable health information,” clarifying that a “breach of security” would include the unauthorized acquisition of identifiable health information, and specifying that “only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.” The modifications would also authorize the expanded use of email and other electronic methods for providing notice of a breach to consumers and would expand the required content for notices “to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” Comments on the NPRM are due 60 days after publication in the Federal Register.
The same day, the FTC also issued a policy statement warning businesses against making misleading claims about the accuracy or efficacy of biometric technologies like facial recognition. The FTC emphasized that the increased use of consumers’ biometric information and biometric information technologies (including those powered by machine learning) raises significant consumer privacy and data security concerns and increases the potential for bias and discrimination. The FTC stressed that it intends to combat unfair or deceptive acts and practices related to these issues and outlined several factors used to determine potential violations of the FTC Act.
On May 10, the CFPB released Circular 2023-02 to opine that unilaterally reopening a closed account without a customer’s permission in order to process a transaction is a likely violation of federal law, particularly if a bank collects fees on the account. “When a bank unilaterally chooses to open an account in someone’s name after they have already closed it, this is a fake account,” CFPB Director Rohit Chopra said in the announcement. “The CFPB is acting on all fronts to halt the harvesting of illegal junk fees.”
The Bureau described receiving complaints from consumers about banks reopening closed accounts and then assessing overdraft/nonsufficient funds fees and monthly maintenance fees. Such practices, the Bureau warned, may violate the Consumer Financial Protection Act’s prohibition on unfair acts or practices. Consumers may experience substantial injury including monetary harm by paying fees due to the unfair practice, the Bureau said, explaining that because consumers likely cannot reasonably avoid the injury, “[a]ctual injury is not required; significant risk of concrete harm is sufficient.” Aside from subjecting consumers to fees, when a bank processes a credit through a reopened account, the consumers’ funds may become available to third parties, including those that do not have permission to access such funds, the Bureau warned, adding that there is also a risk that banks may furnish negative information to consumer reporting agencies if reopening the account overdraws the account and the consumer does not quickly repay the amount owed. The Bureau further noted that deposit account agreements typically indicate that a financial institution “may return any debits or deposits to the account that the financial institution receives after closure and faces no liability for failing to honor any debits or deposits received after closure.”
The Circular explained that rather than reopening an account when a third party attempts to deposit or withdraw money from it, banks should decline the transactions. This allows customers the opportunity to update their information with the entity attempting to access a closed account while avoiding potential fees. “Reopening a closed account does not appear to provide any meaningful benefits to consumers or competition,” the Bureau said in the Circular. “While consumers might potentially benefit in some instances where their accounts are reopened to receive deposits, which then become available to them, that benefit does not outweigh the injuries that can be caused by unilateral account reopening.”
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.