InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC announces Tropical Storm Hilary disaster relief
On August 21, the OCC issued a proclamation providing discretion to OCC-regulated institutions to close offices affected by Tropical Storm Hilary in California, Nevada, and Arizona “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the OCC, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Find continuing InfoBytes coverage on disaster relief here.
FTC, DOJ issue permanent injunction and civil penalty for violations of CAN-SPAM Act
On August 22, the DOJ and the FTC jointly announced a permanent injunction and civil penalty of $650,000 against a company that offers credit information, analytical tools, and marketing services for alleged violations of the CAN-SPAM Act, the CAN-SPAM Rule, and the FTC Act. The case, which was filed in the District Court for the Central District of California, asserts that millions of commercial emails sent to consumers did not give the recipients requisite notice of the option to opt-out of future such emails, in violation of the CAN-SPAM Act and Rule. The order enjoined the company from sending commercial emails that do not provide notice of the recipient’s ability to opt-out of future emails, it also enjoins the company from otherwise violating the CAN-SPAM Act, and subjects it to a civil penalty judgment of $650,000.
DFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here, here, and here) for allegedly offering and selling unqualified securities, and making material misrepresentations and omissions to investor related to cryptocurrency investments. The entities allegedly created high-yield investment programs (HYIPs), which DFPI characterizes as “investment frauds that typically promise high returns with low risk, promise overly consistent returns, provide little details about the people running the HYIP, use vague language to describe how the HYIP makes money, offer referral bonuses, facilitate deposits and withdrawals with crypto assets, and use social media to gain attention and attract investors.”
The cease and desist orders are just one of the tools DFPI employs to address investment scams involving crypto assets, also using enforcement actions, social media, and a Crypto Scam Tracker. DFPI has posted videos to its social media accounts that are directed towards the same group of individuals targeted by the crypto community in order to educate investors about its enforcement actions and violations of law. The Crypto Scam Tracker was launched earlier this year to help Californian’s identify and avoid scams involving cryptocurrency. (Covered by InfoBytes here).
OCC allows Hawaii institutions to temporarily close, SBA offers loans
On August 10, the OCC issued a proclamation permitting OCC-regulated institutions to close offices in areas affected by the wildfires in Hawaii. In issuing the proclamation, the OCC noted that only bank offices directly affected by potentially unsafe conditions should close, and that institutions should make every effort to reopen as quickly as possible to address customers’ banking needs. The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions.
In addition, the Small Business Association (SBA) announced that it is offering low-interest federal disaster loans to Hawaii businesses and residents and California businesses and residents affected by the severe winter storms, straight-line winds, flooding, landslides and mudslides that occurred February 21 – July 10.
Interest rates for these loans can be as low as 4% for businesses, 2.375% for private nonprofit organizations and 2.375% (2.5% for Hawaii) for homeowners and renters with terms up to 30 years. Loan amounts and terms are set by SBA and are based on each applicant’s financial condition, with loans up to $500,000 for homeowners to repair or replace damaged or destroyed real estate and $100,000 to repair or replace damaged or destroyed personal property, including personal vehicles. The loans are part of the SBA’s commitment to “providing federal disaster loans swiftly and efficiently, with a customer-centric approach to help businesses and communities recover and rebuild.”
Find continuing InfoBytes coverage on disaster relief here.
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”
Tech giant denied summary judgment in private browsing lawsuit
On August 7, the U.S. District Court for the Northern District of California entered an order denying a multinational technology company’s motion for summary judgment on claims that the company invaded consumers’ privacy by tracking the consumers’ browsing history in the company’s private browsing mode. After reviewing the company’s disclosed general terms of service and privacy notices and disclosures, the court found that the company never explicitly told users that it would be collecting their data while browsing in private mode. Without evidence that the company explicitly told users of this practice, the court concluded that it could not “find as a matter of law that users explicitly consented to the at-issue data collection,” and therefore, could not grant the company’s motion for summary judgment.
Plaintiffs, who are account holders (Class 1 for Incognito users and Class 2 for users of other private browsing modes), brought a class action suit against the company for the “surreptitious interception and collection of personal and sensitive user data” while the users were in a “private browsing mode.” Along with invasion of privacy, intrusion upon seclusion, and breach of contract, plaintiffs asserted violations of (i) the Federal Wiretap Act; (ii) The California Invasion of Privacy Act; (iii) Comprehensive Data Access and Fraud Act; and (iv) California’s Unfair Competition Law.
The court previously denied the defendant’s two motions to dismiss.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
DFPI concludes MTA licensure not required for data processor
On July 25, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter concluding that a company that merely receives payment instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission” requiring licensure under the California Money Transmission Act (MTA).
Citing the California regulations, DFPI states that to “receive money for transmission,” a person must actually or constructively receive, take possession, or hold money or monetary value for transmission; merely receiving instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission.”
As described in the letter, the data processor facilitated payments made by customers to contracting merchants in exchange for goods and services sold by merchants. The data processor forwards customer account and transaction details to partner financial institutions for debiting the customer’s account, and also facilitates refunds initiated by the merchants, including sending ACH instructions to the partner financial institution. However, the data processor at no point handles transferred funds or has custody or legal ownership of the rights to the transferred funds. DFPI, based on several factors and not solely limited to the services described, determined that the inquiring data processor’s payment system does not constitute money transmission or require an MTA license.
Payment processor fined $75k, partner owes $243M in CFPB suit
On July 31, the District Court for the Central District of California entered judgment in favor of the court-appointed receiver for defendants against the non-party provider of payment processing and escrow services to defendants and its managing member in the amount of $75,000, following a July 10 order requiring defendant to pay $243 million in redress and civil penalties. These judgments were entered in connection with the lawsuit filed by the CFPB, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, against a student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees (covered by InfoBytes here).
The defendant companies and one of the controlling business partners settled in 2020, but the court ordered the remaining controlling business partner to pay $243 million in redress and civil penalties earlier in July based on his involvement in violating various laws through the operation, including the TSR and the CFPA. Of the $243 million, the CFPB is entitled to over $95 million as redress for unlawful fees paid by consumers affected by the student loan debt relief operation and nearly $148 million of civil money penalties, and Minnesota, North Carolina, and California are each entitled to $5,000 of civil money penalties. The recent judgment of $75,000 entered against the non-party payment processing service provider resulted from the settlement of a separate lawsuit alleging that the service provider facilitated the fraud perpetuated by the defendants in the student loan debt relief operation and later attempted to deceptively transfer consumer funds held by defendants to avoid their transfer to the receiver.
California AG warns against unlawful employer-driven debt arrangements
On July 25, California Attorney General Rob Bonta issued a Legal Alert to remind all employers of state-law restrictions on employer-driven debt. Bonta highlighted concerns about employers engaging in exploitative practices that lead to employees accumulating debts as a result of their employment. (Also covered by InfoBytes here). Such practices may include employers withholding wages, failing to reimburse necessary expenses, or charging fees that are unlawful under California labor laws.
The alert outlines that employer-driven debt arrangements may violate California Labor Code section 2802, “which mandates that employers ‘indemnify employees for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties.’” Regarding job training, the alert mentions that California law forbids employers from making workers repay training costs, except in two cases: (i) when the training is necessary for legally practicing the profession, and (ii) when the worker voluntarily undertakes the training, not due to employer mandate. The alert warns companies that engage in exploitative practices that the protections established in the Labor Code cannot be waived by contract. The alert also states that such practices risk violating the state’s Rosenthal Fair Debt Collection Practices Act, which “prohibits an employer or its agent from engaging in unfair or deceptive acts or practices when attempting to collect on employer-driven debt.” Finally, the alert notes that if an employer takes advantage of a worker’s lack of information or knowledge about the risks or costs of the debt, they may violate the California Consumer Financial Protection Law.