InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
Collection agency to pay $10k for operating without a license
On March 21, the Connecticut Department of Banking fined a collection agency $10,000 and ordered it to cease and desist from collection agency activity for operating without a valid license. According to the order, the company applied for a consumer collection agency license in Connecticut in October 2022. However, during its review of the company’s application, the Department of Banking discovered that the company had been operating as a consumer collection agency without a license in the state since at least 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover back licensing fees. The company consented to the entry of the sanctions without admitting or denying any wrongdoing “solely for the purpose of obviating the need for further formal administrative proceedings,” the order said.
Collection firm to pay $100,000 for operating without a license
On December 1, the Connecticut Department of Banking (Department) fined a collection law firm $100,000 and ordered it to cease and desist from collection activity for operating without a valid license. According to the order, in August, the Department issued a temporary order to cease and desist, a notice of intent to issue order to cease and desist, a notice of intent to impose a civil penalty, and a notice of a right to a hearing, which provided the firm 14 days to respond to request a hearing. Furthermore, the firm was warned that if a request for hearing was not made, a cease and desist order would likely be forthcoming. During its investigation, the state discovered that in 2019, the firm was conducting unlicensed collection agency activity for about 10,000 Connecticut accounts with a total balance of about $1.4 million. The firm allegedly collected approximately $81,000 of that amount. In late 2019, the state sent the firm a certified letter regarding its collection activity and asked for a response, which was never provided. In the August order, the firm was asked to supply the state with a list of all the creditors with whom the firm has entered into agreements for consumer collection services since July 2018, including copies of all the agreements with those creditors, and an itemized list of each Connecticut debtor account that the firm had attempted collections on for the same time period.
Connecticut fines collection agency $100,000 and revokes license
On August 18, the Connecticut Banking Commissioner revoked a consumer collection agency’s license after finding that it failed to provide requested information during an examination. Following an examination in May, the commissioner issued a “Notice of Automatic Suspension, Notice of Intent to Revoke Consumer Collection Agency License, Notice of Intent to Issue Order to Cease and Desist, Notice of Intent to Impose Civil Penalty and Notice of Right to Hearing” to the collection agency warning that if it failed to request a hearing within 14 days “the allegations would be deemed admitted.” According to the order, due to the collection agency’s failure to respond to the notices, the commissioner was “unable to determine that the financial responsibility, character, reputation, integrity and general fitness of Respondent are such to warrant belief that the business will be operated soundly and efficiently.” The collection agency also allegedly failed to maintain a surety bond that ran in accordance with its consumer collection agency license. The commissioner revoked the collection agency’s license to operate in the state, ordered it to cease and desist from violating Section 36a-17(e) of the 2022 Supplement to the General Statutes which requires it to make its records available, and imposed a $100,000 civil penalty.
Connecticut issues money transmitter advisory
Recently, the Connecticut Department of Banking (Department) issued an advisory on money transmission, providing general guidance on what types of activities and entities must be licensed. According to the advisory, transmission can occur whenever “a person takes possession or control of monetary value belonging to another person” and holds it for a period of time, or transmits it to a third party. The Department noted that “[t]he increased use of technology to enable immediate payment mechanisms, as well as the explosion of virtual currency, has caused significant disruption to traditional money transmission systems.” The Department also acknowledged that many consumers do “not realize or understand the regulatory landscape that applies” to using money transmitters. Among other things, the advisory listed entities that traditionally provide transmission services like bill payers, payroll processors, and issuers and sellers of prepaid cards and money orders. The advisory also discussed Connecticut’s license application and penalties for unlicensed transmission, explaining that licensure goes through the Nationwide Multistate Licensing System and involves disclosing pertinent information concerning all “control persons.”
Connecticut fines collection agency $10,000 for violating usury laws
On June 28, the Connecticut Department of Banking issued a consent order against a licensed consumer collection agency for allegedly engaging in numerous violations of state law. These include (i) collecting on loans made by unlicensed lenders affiliated with federally-recognized Native American tribes that violate state usury laws; (ii) commingling operating monies from its business account with funds in its trust accounts; and (iii) engaging in unfair or deceptive acts or practices by advertising financial products and services of unlicensed affiliates in communications with consumers. According to the order, an examination found that the company collected on loans made by unlicensed lenders affiliated with Native American tribes that charged interest rates exceeding state limits, and that the company received payments on small loans that violated other state statutes. The Connecticut Department of Banking noted that, pursuant to a Connecticut Supreme Court decision in Great Plains Lending, LLC v. Department of Banking, consumer collection agencies are prohibited “from collecting on small loans made by unlicensed persons, including lenders affiliated with Native American tribes." Such loans are considered void and unenforceable, the Department said.
While the company neither admitted nor denied any of the allegations, it voluntarily agreed to the imposition of sanctions to obviate the need for formal administrative proceedings. Under the terms of the consent order, the company must pay a $10,000 civil penalty, refund all amounts collected from Connecticut borrowers as payment on small loans made by unlicensed lenders affiliated with federally recognized Native-American tribes, implement appropriate policies and procedures, cease and desist from soliciting financial services products in its collection communications with consumers, and cease and desist from collecting, attempting to collect, and receiving payment on small loans not made in compliance with state law.
Collection agency to pay $10,000 for operating without a license in Connecticut
On June 24, the Connecticut Department of Banking issued a consent order against a company for operating as a consumer collection agency without obtaining the proper license. According to the order, the company filed a consumer collection agency license application in Connecticut in June 2020. However, during its review of the company’s application, the Department of Banking discovered that it had been operating as a consumer collection agency without a license in the state since 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover licensing fees.
Connecticut amends banking statutes
On May 17, the Connecticut governor signed S.B. 268, which makes various revisions to state banking statutes. Among other things, the bill establishes that a money transmission license is not transferable or assignable, but a licensee may be acquired under certain circumstances. The bill also establishes that the commissioner cannot approve a state-bank’s loan production office to be established unless the commissioner has considered the out-of-state bank's record of compliance. Additionally, the bill establishes certain definitions, including the meaning of “control”, “control person,” “key individual,” and “passive investor.” The bill is effective October 1.
Connecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.
Connecticut issues CDO against unlicensed small-dollar marketplace lender
On May 4, the Connecticut Banking Commissioner issued a temporary cease and desist order against an unlicensed California-based marketplace lender after determining it had reason to believe the respondent allegedly violated several provision of the Connecticut General Statutes, as well as Section 1036 of the CFPA. The respondent operates a mobile application to help consumers take out small-dollar loans and solicits lenders via its website through advertisements claiming it “takes the work out of lending by vetting and organizing a marketplace of loan requests” where “[b]orrowers set their own terms and provide appreciation tips to lenders who agree to fund a loan, allowing for mutually beneficial financial outcomes.” Consumers initiate loans on the respondent’s platform for a certain amount, which includes optional monetary tips for both the lender and the respondent of up to 12 and 9 percent of the loan amount respectively. The Commissioner’s investigation noted that while the respondent touted the tips as being optional and not required for submitting a loan request or receiving funding, 100 percent of the loans originated to Connecticut consumers from June 2018 to August 2021 included a tip. When the tips were factored into the finance charge, the APRs of the Connecticut consumers’ loans ranged from 43 percent to over 4,280 percent. During the identified time period, loan disclosures identified the amount of the tips for each loan; however, starting in April 2021, the revised disclosures and promissory notes removed any itemization of the tips, and promissory notes allegedly “failed to indicate any obligation of the borrower to pay tips on their loans.” According to the Commissioner, the corresponding disclosures “stated that only one payment, for the principal loan amount, was due at the end of the loan,” however on the loan’s due date, the total loan amount including tips was withdrawn from the consumer’s account. Additionally, disclosures allegedly informed consumers that the APR on the loans was zero percent even though all the loans carried much higher APRs.
The Commissioner further concluded that the respondent prohibited direct communication between consumers and lenders and charged several fees on delinquent loans, including late fees and recovery fees for its collection efforts. Moreover, at least one of the contracted collection agencies was not licensed in the state, nor was the respondent licensed as a small loan company in Connecticut, and nor did it qualify for a licensure exemption.
In issuing its order to cease and desist, order to make restitution, and notice of intent to impose a civil penalty and other equitable relief, the Commissioner stated that the respondent’s “offering, soliciting, brokering, directly or indirectly arranging, placing or finding a small loan for a prospective Connecticut borrower, without the required license” constitutes at least 1,600 violations of the Connecticut General Statutes. The Commissioner cited additional violations, which included engaging in unlicensed activities such as lead generation and debt collection, and cited the respondent for providing false and misleading information related to the terms and costs of the loan transactions in violation of both state law and the CFPA’s prohibition against deceptive acts or practices. In addition to ordering the respondent to immediately cease and desist from engaging in the alleged violations, the Commissioner ordered the respondent to repay any amounts received from Connecticut consumers in connection with their loan, plus interest.