InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC sues data broker for unfair sale of sensitive data
On August 29, the FTC announced an action taken against a data broker accused of allegedly selling precise geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from sensitive locations. According to the complaint, the defendant purchases location information from other data brokers and packages it into customized data feeds that match unique mobile device advertising identification numbers with timestamped latitude and longitude locations. These data feeds allow purchasers to identify and track specific mobile device users with no restrictions on usage and puts consumers at significant risk, the FTC claimed, noting that by failing to adequately protect its data from public exposure, consumers may be identified and face substantial injury. Moreover, people are often unaware that their location data is being purchased and shared by the defendant and have no control over its sale or use, the FTC said in its announcement. The complaint alleges the defendant’s unfair sale of sensitive data violates the FTC Act, and seeks a permanent injunction and any additional relief deemed just and proper.
District Court awards injunctive relief to FTC in deceptive advertising case
On August 9, the U.S. District Court for the Northern District of Georgia ruled that the FTC provided “broad and detailed” evidence of alleged deceptive advertising and unfair fee practices in its $550 million case against a technology company and its CEO (collectively, “defendants”). As previously covered by InfoBytes, the FTC filed a suit in 2019, alleging the defendants made deceptive representations to customers and charged hidden, unauthorized fees in connection with the company’s “fuel card” products in violation of Section 5 of the FTC Act. In 2019, when the agency filed its lawsuit, legal precedent held that the FTC could obtain restitution for consumers directly through such civil proceedings in federal court. However, in April of 2021, the Supreme Court held in AMG Capital Management, LLC v. FTC that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.) Following that decision, the FTC filed a motion to stay or voluntarily dismiss in an attempt to preserve the possibility of obtaining monetary relief for injured consumers in federal court while pursuing claims against the defendants through the agency’s administrative process, but the district court denied the motion, concluding that the “balance of equities does not weigh in favor of a stay or dismissal without prejudice.”
In its most recent order, the district court ruled that the FTC provided compelling and overwhelming evidence, including advertisements, internal marketing studies, and a “plethora of customer complaints” that showed the defendants are liable for multiple violations of the FTC Act. Among other things, the court noted that the evidence showed that the defendants knew that many customers were unaware of certain fees when they signed up for the fuel cards and that the defendants’ terms and conditions governing the fees were “inscrutable” and confusing. However, the district court partially granted defendants’ request for summary judgment on monetary relief, ruling that in light of the Supreme Court’s decision in AMG Capital Management, the FTC cannot obtain a monetary award for the violations until the agency exhausts its administrative litigation process. A hearing will be held to determine the nature of the required injunctive relief.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
FTC, NLRB sign MOU to protect workers in gig economy
On July 19, the FTC announced that it is joining with the National Labor Relations Board (NLRB) (collectively, “Parties”) in a memorandum of understanding (MOU) intended to protect workers by promoting competitive U.S. labor markets and putting an end to unfair practices that harm workers in the “gig economy” and other labor markets. The MOU provides ways for the Parties to work together to address key issues, such as labor market concentration, one-sided contract terms, and labor developments in the gig economy. According to the MOU, the Parties recognize that ongoing interagency collaboration regarding “issues of common regulatory interest will help to protect workers against unfair methods of competition, unfair or deceptive acts or practices, and unfair labor practices.” The MOU also provides that the Parties will facilitate: (i) “information sharing and cross-agency consultations on an ad hoc basis for official law enforcement purposes, in a manner consistent with and permitted by the laws and regulations that govern the Parties”; (ii) “cross-agency training to educate each Party about the laws and regulations enforced by the other Party”; and (iii) “coordinated outreach and education as appropriate.” According to the FTC, the MOU “is part of a broader FTC initiative to use the agency’s full authority[.]” The announcement also described the FTC’s recent efforts to root out deceptive and unfair acts and practices aimed at workers, “particularly those in the ‘gig economy’ who often don’t enjoy the full protections of traditional employment relationship.”
CFPB, OCC issue consent orders against national bank
On July 14, the CFPB announced a consent order against a national bank to resolve allegations that the bank engaged in unfair and abusive acts or practices with respect to unemployment insurance benefit recipients who filed notices of error concerning alleged unauthorized electronic fund transfers (EFTs). The CFPB alleged that the bank violated the CFPA by, among other things: (i) determining that “no error had occurred and [by] freezing cardholder accounts based solely on the results of [the bank’s] automated Fraud Filter”; (ii) “retroactively applying its automated Fraud Filter to reverse permanent credits for unemployment insurance benefit prepaid debit cardholders whose notices of error [the bank] had previously investigated and paid”; and (iii) “impeding unemployment insurance benefit prepaid debit cardholders’ efforts to file notices of error and seek liability protection from unauthorized EFTs.” The CFPB also claimed that the bank violated the EFTA and Regulation E by “fail[ing] to conduct reasonable investigations” of cardholders’ notices of error. Under the terms of the Bureau’s consent order, the bank is required to provide redress to harmed consumers, review and reform its unemployment insurance benefit prepaid debit card program, and pay a $100 million civil penalty to the Bureau.
The same day, the OCC announced a consent order and a $125 million civil money penalty against the bank for alleged unsafe or unsound practices related to the same prepaid card program. According to the OCC, the bank, among other things: (i) “fail[ed] to establish effective risk management” over its unemployment card program”; and (ii) “beginning in 2020, denied or delayed many consumers’ access to unemployment benefits when consumers filed or attempted to file [unemployment insurance benefits] unauthorized transaction claims.” The OCC’s civil money penalty and remediation requirement is in addition to the CFPB’s civil money penalty.
NYDFS issues overdraft and NSF fee guidance
On July 12, NYDFS issued guidance in an industry letter to regulated banking institutions, calling into question bank practices that can cause consumers to receive multiple overdraft and non-sufficient funds (NSF) fees from a single transaction. The industry letter identifies three specific types of fee practices as unfair or deceptive:
- Charging overdraft fees for “authorize positive, settle negative” transactions, where consumers are charged an overdraft fee even if they have sufficient money in their account when a bank approves a transaction, but the balance is negative when the payment is settled. Per NYDFS, imposing an overdraft fee in this situation is unfair because, among other things, consumers “have no control over or involvement in” when or how their debit transactions get settled.
- Charging “double fees” to consumers for a failed overdraft protection plan transfer, which occurs when a bank goes to transfer money from one deposit account to another deposit account to cover an overdraft transaction, but the first account lacks sufficient funds to cover the overdraft. Per NYDFS, double fees injure consumers “by imposing fees for a transfer that provides no value to the consumer and is not reasonably avoidable by consumers, who have no reason to expect that they will be charged a fee for an overdraft protection transfer that does not in fact protect them against an overdraft.”
- Charging NSF representment fees when a merchant tries several times to process a transaction that is deemed an overdraft and the bank charges a fee for each blocked representment without adequate disclosure. Banks that currently charge multiple NSF fees should “make clear, conspicuous, and regular disclosure to consumers that they may be charged more than one NSF fee for the same attempted debit transaction,” NYDFS stated. Additionally, banks are advised to consider other steps to mitigate the risk that consumers are charged multiple NSF fees, including limiting time periods for when multiple NSF fees may be charged, performing periodic manual reviews to identify instances of multiple NSF Fees, and offering refunds to affected consumers. NYDFS “ultimately expects [i]nstitutions will not charge more than one NSF fee per transaction, regardless of how many times that transaction is presented for payment,” the industry letter said.
NYDFS informed regulated entities that it will evaluate whether they “are engaged in deceptive or unfair practices with respect to overdraft and NSF fees in future Consumer Compliance and Fair Lending examinations.”
CFPB sues payday lender over debt collection practices
On July 12, the CFPB filed a complaint against a Texas-based payday lender (defendant) for allegedly engaging in illegal debt-collection practices and allegedly generating $240 million in reborrowing fees from borrowers who were eligible for free repayment plans in violation of the CFPA. As previously covered by InfoBytes, in 2014, the Bureau ordered the defendant to, among other things, pay $10 million for allegedly using false claims and threats to coerce delinquent payday loan borrowers into taking out an additional payday loan to cover their debt. The Bureau stated that after the CFPB’s 2014 enforcement action, the defendant “used different tactics to make consumers re-borrow.” The complaint alleges that the defendant “engaged in unfair, deceptive, and abusive acts or practices by concealing the option of a free repayment plan to consumers who indicated that they could not repay their short term, high-cost loans originated by the defendant.” The Bureau also alleges that the defendant attempted to collect payments by unfairly making unauthorized electronic withdrawals from over 3,000 consumers’ bank accounts. The Bureau seeks permanent injunctive relief, restitution, disgorgement, damages, civil money penalties, and other relief.
Halperin discusses invoking UDAAP under CFPA
On June 29, the American University Washington College of Law held a symposium centered in part around the CFPB’s new approach for examining institutions for unfair conduct. During the CFPB’s New Approach to Discrimination: Invoking UDAAP symposium, CFPB Assistant Director for the Office of Enforcement Eric Halperin answered questions related to updates recently made to the Bureau’s Unfair, Deceptive, or Abusive Acts or Practices Examination Manual. These updates detail the agency’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service as an unfair act or practice. (Covered by a Buckley Special Alert here.) The Bureau published a separate blog post by its enforcement and supervision heads explaining that they were “cracking down on discrimination in the financial sector,” and that the new procedures would guide examiners to look “beyond discrimination directly connected to fair lending laws” and “to review any policies or practices that exclude individuals from products and services, or offer products or services with different terms, in an unfairly discriminatory manner.”
Assistant Director Halperin’s remarks were followed by a discussion of the Bureau’s revisions to its Examination Manual by a panel that consisted of David Silberman of the Center for Responsible Lending, Kitty Ryan of the American Bankers Association, and John Coleman of Buckley LLP, which was moderated by Jerry Buckley. Topics covered included a June 28 letter that trade associations sent to the CFPB urging recission of revisions to the Examination Manual.
In his interview with American University Law School Professor V. Gerard Comizio, Halperin stated that the CFPB’s Examination Manual updates provide guidance on how examiners will implement the Bureau’s statutory authority to examine whether an act or practice is unfair because it may cause or is likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition. He stressed that the update does not create a new legal standard under the three prongs of the unfairness standard. Halperin also discussed how the Bureau’s UDAAP authority interacts with laws enacted specifically to prevent discriminatory conduct such as ECOA and the Fair Housing Act, and touched on steps institutions should consider taking to ensure compliance. Notably, when asked whether the Bureau intends to pursue disparate impact claims under the CFPA, Halperin stated that disparate impact, along with disparate treatment, are wholly distinct concepts from Dodd-Frank’s prohibition on unfair acts and practices. He added that in assessing an unfair act and practice, the key is to examine the substantial injury prong and then assess the reasonable avoidability and the countervailing benefits prongs. He further explained that the unfairness test does not contain an intentional standard and noted that there have been cases brought by both the FTC and the Bureau where there was injurious conduct that was not intentional or specifically known to the party engaging in this practice. According to Halperin, substantial injury alone is not sufficient to prove unfairness and using disparate impact as the mechanism of proof is not what the Bureau uses to prove an unfairness claim.
Halperin reiterated that the CFPB Examination Manual is designed to provide transparency to financial institutions about the types of issues that examiners will be inquiring about in furtherance of determining whether there has been an unfair act or practice under the current framework, and does not extend or create new law. In terms of practical compliance implications, Halperin said most financial institutions should already have robust UDAAP compliance systems in place and should already be looking for potential unfair acts or practices and examining patterns and group characteristics to identify the root cause of any issues, and to avoid substantial injury to consumers. With respect to a white paper recently sent to CFPB Director Rohit Chopra from several industry groups and the U.S Chamber of Commerce urging the Bureau to rescind the UDAAP exam manual (covered by InfoBytes here), Halperin commented that he has not had time to fully digest the white paper in detail but hoped that some of what was discussed during the symposium, particularly on the legal principles that will be used both in the exam manual and in any supervision and enforcement actions, clarifies that the Bureau is looking for conduct that violates the unfairness test.
Industry groups urge CFPB to rescind UDAAP anti-discrimination policy
On June 28, industry groups and the U.S Chamber of Commerce (collectively, “groups”) released a White Paper, Unfairness and Discrimination: Examining the CFPB’s Conflation of Distinct Statutory Concepts, urging the CFPB to rescind the recently released unfair, deceptive and abusive acts or practices (UDAAP) examination manual. As previously covered by a Buckley Special Alert, in March, the CFPB announced significant revisions to its UDAAP exam manual, in particular highlighting the CFPB’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service. The White Paper, among other things, explained the groups’ position that the Bureau’s UDAAP authority cannot be used to extend the fair lending laws beyond the limits of existing statutory law. The White Paper stated that the Bureau “conflated” concepts of “unfairness” and “discrimination” “by announcing, via a UDAAP exam manual ‘update,’ that it would examine financial institutions for alleged discriminatory conduct that it deemed to be ‘unfair’ under its UDAAP authority.” The groups stated that the agency has “taken the law into its own hand” arguing that “the Bureau did not follow Administrative Procedure Act requirements for notice-and-comment rulemaking.” The groups said the change in the examination manual is “contrary to law and subject to legal challenge” as well as legislative repeal under the Congressional Review Act. Additionally, the groups argued that the Bureau’s interpretation exceeds the agency’s statutory authority, and that the Bureau’s “action should be held unlawful and set aside.” The groups further stated that “[c]hanges that alter the legal duties of so many are the proper province of Congress, not of independent regulatory agencies, and the CFPB cannot ignore the requirements of the Administrative Procedures Act and Congressional Review Act. The CFPB may well wish to fill gaps it perceives in federal antidiscrimination law. But Congress has simply not authorized the CFPB to fill those gaps.”
In a letter sent to CFPB Director Rohit Chopra, the groups conveyed that Congress did not intend for the Bureau to “fill gaps” between the clearly articulated boundaries of antidiscrimination statutes with its UDAAP authority. The groups urged Director Chopra to rescind the exam manual update and stated that “[s]hould [he] believe additional authority is necessary to address alleged discriminatory conduct, we stand ready to work with Congress and the CFPB to explore that possibility and to ensure the just administration of the law.
FTC bans MCA providers, returns $2.7 million to consumers
On June 6, the FTC obtained a stipulated court order permanently banning a company and owner from participating in the merchant cash advance and debt collection industries. As previously covered by InfoBytes, last June the FTC filed an amended complaint against two New York-based small-business financing companies and a related entity and individuals (including the settling defendants), claiming the defendants engaged in deceptive and unfair practices by, among other things, misrepresenting the terms of their merchant cash advances, using unfair collection practices, deceiving consumers about personal guarantees, forcing consumers and businesses to sign confessions of judgment, providing less funding than promised due to undisclosed fees, and making unauthorized withdrawals from consumers’ accounts. Under the terms of the stipulated order, the settling defendants are required to pay a more than $2.7 million monetary judgment to go towards refunds for harmed consumers and must vacate any judgments against former customers and release any liens against their customers’ property. The announcement notes that the settling defendants are also “prohibited from misleading consumers about any key facts about any good or service, including any fees, the total cost of the product, and other facts that reflect their deceptions in this case.”
Earlier in January, a stipulated order was entered against two other defendants (covered by InfoBytes here), which permanently banned them from participating in the merchant cash advance and debt collection industries and required the payment of a $675,000 monetary judgment.