InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit affirms summary judgment finding in favor of debt collector in lawsuit over retail card debt collection
On August 28, the U.S. Court of Appeals for the Ninth Circuit affirmed the decision of a district court to throw out a pair of consolidated punitive class action lawsuits brought against a nationwide debt collector company that alleged the company unlawfully attempted to collect debts incurred on retail-branded credit cards. A three-judge panel held that the debt collector did not “intentionally” violate provisions of the FDCPA when it circulated collection letters that did not disclose the time-barred natures of the debts under Oregon law and rejected the plaintiff’s argument that the district court had erred in granted summary judgment in favor of the company. The 9th Circuit noted that “mistakes about the time-barred status of a debt can be bona fide errors” and that the debt collector company presented evidence indicating that its failure to disclose that certain Oregon debts were time-barred were not intentional. Moreover, the 9th Circuit rejected plaintiff’s claim that a four-year statute of limitations applied to store-branded credit card accounts at the time the collection letters were sent, in part because the debt collector had sound reason to take the position that a six-year statute of limitations applied for an “account stated” under Oregon law. Ultimately, the applicable statute of limitations in this scenario remains “unsettled” under Oregon law. This, along with the fact that the 9th Circuit agreed that the company’s alleged violations were unintentional, resulted in the court’s decision to affirm the summary judgment finding in favor of the debt collector.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
Oregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
Oregon issues remote work guidance to licensed loan originators
On September 21, the Oregon Department of Consumer and Business Services filed permanent administrative order FSR 3-2022 with the Secretary of State to allow licensed loan originators and employees to work from home. Under the order, Oregon licensed mortgage loan originators “may originate loans from a location other than from a licensed branch office if the location is the licensed mortgage loan originator’s home; the licensed mortgage loan originator is an employee of a mortgage banker or mortgage broker; and the mortgage banker or the mortgage broker complies with OAR 441-860- 0040, as applicable.” Mortgage bankers or brokers must have in place appropriate policies and procedures to supervise licensees working from home, including data security measures to protect consumers’ personal data. Additionally, licensees working from home “are prohibited from engaging in person with consumers for loan origination purposes at the home of the loan originator or employee, unless the home is licensed as a branch.” Licensees may, however, “engage with consumers for loan origination purposes at the home of the loan originator or employee by means of conference telephone or similar communications equipment that allows all persons participating in the visitation to hear each other, provided that participation is controlled and limited to those entitled to attend, and the identity of participants is determinable and reasonably verifiable.” Licensees who work from home are also prohibited from keeping any physical business records at any location other than a licensed location, and must also ensure that all origination records are available at a licensed location.
District Court rules non-judicial foreclosure claims fail
On August 30, the U.S. District Court for the District of Oregon granted defendants’ motion for summary judgment in an action concerning an allegedly unlawful non-judicial foreclosure. Plaintiffs obtained a cash-out loan in 2005 and modified their mortgage terms. The plaintiffs stopped making payments after one of the defendant loan servicer’s agents allegedly informed them that “help was only available if they were in default,” and the defendant loan servicer threatened foreclosure. Following several years of bankruptcy proceedings and foreclosure mediation, plaintiffs sued to stop the foreclosure proceedings, claiming “that the deed of trust was void and that defendants committed fraud in attempting to foreclos[e] on the debt.” The initial non-judicial foreclosure proceedings were rescinded after the suit was dismissed with prejudice, and the defendant loan servicer was eventually allowed to proceed with a second non-judicial foreclosure under Oregon law. Plaintiffs sent a dispute letter demanding that the foreclosure be rescinded because the order in which several notices of default showing the amounts due and the amounts necessary to reinstate were sent did not comply with state law. After the notice was rescinded and a new notice of default was issued and recorded, plaintiffs sued again, seeking to enjoin the defendant trustee’s sale and filing several claims, including breach of contract and violations of the Oregon Unfair Trade Practices Act (OUTPA), RESPA, and FDCPA.
In granting summary judgment to the defendants on each of the claims, the court determined that the breach of contract claim fails because plaintiffs acknowledged that because “they have not substantially performed under the relevant contract,” they are precluded from seeking damages. The FDCPA claim against the defendant trustee also fails “because it is based on a perceived lack of authority under the relevant contract, but as explained in the breach of contract claim, that authority was not lacking.” Finally, the OUTPA and RESPA claims both fail “because there is no evidence that they incurred damages arising out of either claim”—a required element under both statutes, the court said. According to the court, plaintiffs failed “to support their drastic allegations with relevant evidence” and failed to “point to specific evidence supporting valid legal claims.”
Oregon approves final student loan servicer regulations
Recently, the Oregon Department of Consumer and Business Services, Division of Finance and Securities Regulation (the Department), filed agency-approved student loan servicer licensing regulations with the Oregon Office of the Secretary of State. The regulations implement SB 485 (enacted last July and covered by InfoBytes here), which established provisions for student loan servicers related in part to licensing requirements, including the requirement that an applicant for a student loan servicer license should submit applications via the Nationwide Multistate Licensing System (NMLS).The act also implemented related consumer protections for borrowers.
The new regulations establish specific application requirements, including provisions related to subcontractors performing servicing activities on behalf of the student loan servicer. The regulations also provide for automatic licensure for applicants that service student loans under a contract with the Department of Education. Additionally, the regulations address (i) procedures for licensing branch locations; (ii) licensing renewals and fees; (iii) liquidity standards; (iv) bond requirements; (v) various annual reporting requirements; (vi) assessment payments and examination fees; (vii) rules for using an assumed business name; (viii) financial responsibility criteria; (ix) student loan servicer duties and responsibilities in addition to prohibited acts; and (x) licensing exemptions. The regulations also establish the Department director’s supervisory authority and outline disclosure requirements for significant developments or changes to a licensee’s record. The regulations became effective July 1.
States settle with company on fraudulent MLO certifications
On February 10, the Conference of State Bank Supervisors announced that the California Department of Financial Protection and Innovation, Maryland’s Office of the Commissioner of Financial Regulation, and the Oregon Division of Financial Regulation have reached a settlement agreement with the owner of a California-based company for providing false certificates claiming that mortgage loan originators (MLOs) took mandatory eight-hour continuing education courses as required for licensure under state and federal law. The three state financial regulators brought separate enforcement actions alleging violations of the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) against the individual and his family (collectively, “respondents”) for their role in the “multi-state fraud scheme that involved hundreds of mortgage loan originators.” According to the announcement, the respondents have “agreed to fully cooperate and provide testimony against implicated mortgage loan originators,” and have “agreed to a lifetime restriction from direct and indirect involvement in businesses that provide mortgage lending-related education.” In addition to a $75,000 monetary penalty (which will be divided between the three states), the respondents have agreed to a non-compliance penalty of $15 million should they fail to fully comply with the terms of the settlement agreement.
The action follows a multistate $1.2 million settlement reached last month with 441 MLOs. As previously covered by InfoBytes, the enforcement action included the participation of 44 state agencies from 42 states, and required the settling MLOs to surrender their licenses for three months, pay a $1,000 fine to each state that is a signatory to the consent order in which the MLO holds a license, and take pre-licensing and continuing-education courses before petitioning or reapplying for an MLO endorsement or license.
Oregon enacts student loan servicer provisions
On July 27, the Oregon governor signed SB 485, which outlines licensing provisions for student loan servicers and implements consumer protections for borrowers. Among other things, the act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Oregon Department of Consumer and Business Services (DCBS). Should the director reasonably believe that a person subject to the act’s provisions is “engaging in or is about to engage in an act or practice that constitutes servicing a student loan in this state without first obtaining a license” the director may order the person to cease and desist, affirmatively perform the act, or may apply to an Oregon circuit court to enjoin the person from engaging in such act or practice. Additionally, the act outlines requirements related to, among other things, (i) licensing applications, including that the director may require applicants to submit applications to the Nationwide Multistate Licensing System instead of, or in addition to, submitting the application to the director; (ii) licensing renewals, reinstatements, and surrenders; (iii) a licensee’s principal place of business; (iv) liquidity standards; and (v) branch closures, relocations, or the opening of new locations. Under the act, the director is also granted general supervisory authority over each licensee in the state, examination authority, and the ability to participate in multistate examinations scheduled and conducted by the Conference of State Bank Supervisors or the CFPB. The director may also investigate borrower complaints and servicers’ policies and procedures, may impose civil penalties for violations of the act’s provisions, and may promulgate rules and take any other actions necessary to undertake and exercise the duties and powers conferred on the position. The act also outlines provisions related to servicing obligations, prohibits student loan servicers from engaging in fraudulent, deceptive, and dishonest activities, and creates a student loan ombudsperson at DCBS to handle complaints against student loan servicers and educate borrowers about loan repayment options. The act took effect on its passage.