Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
ID verifier to pay $28.5 million to settle BIPA allegations
On May 5, the U.S. District Court for the Northern District of Illinois preliminarily approved an amended class action settlement in which an identification verification service provider agreed to pay $28.5 million to settle allegations that it violated the Illinois Biometric Information Privacy Act (BIPA). According to the plaintiffs, the defendant collected, stored, and or used class members’ biometric data without authorization when they uploaded photos and state IDs on a mobile app belonging to one of the defendant’s customers. After the court denied the defendant’s move to compel arbitration and determined the plaintiff had standing to pursue his BIPA claims, the parties entered into settlement discussions without the defendant admitting any allegations or liability. The court certified two classes: (i) Illinois residents who uploaded photos to the defendant through the app or website of a financial institution (class members will receive $15.7 million); and (ii) Illinois residents who uploaded photos through a non-financial institution (class members will receive $12.8 million). A final approval hearing will determine attorney’s fees and expenses and incentive awards.
Illinois announces new consumer protections for digital assets, proposes new money transmitter licensing provisions
On February 21, the Illinois Department of Financial and Professional Regulation (IDFPR) announced several legislative initiatives to establish consumer protections for cryptocurrencies and other digital assets and provide regulatory oversight of the broader digital asset marketplace. The Fintech-Digital Asset Bill (see HB 3479) would create the Uniform Money Transmission Modernization Act and provide for the regulation of digital asset businesses and modernize regulations for money transmission in the state. Among other things, the Fintech-Digital Asset Bill would require digital asset exchanges and other digital asset businesses to obtain a license from IDFPR to operate in the state. The bill also establishes various requirements for businesses, including investment disclosures, customer asset safeguards, and customer service standards. Companies would also be required to implement cybersecurity measures, as well as procedures for addressing business continuity, fraud, and money laundering. Notably, the Fintech-Digital Asset Bill replaces and supersedes the Transmitters of Money Act (see 205 ILCS 657) with the Money Transmission Modernization Act, in order to harmonize the licensing, regulation, and supervision of money transmitters operating across state lines. Provisions also amend the Corporate Fiduciary Act to allow for the creation of trust companies for the special purpose of acting as a fiduciary to safeguard customers’ digital assets, the announcement noted.
The Consumer Financial Protection Bill (see HB 3483) would grant the IDFPR authority to enforce the Fintech-Digital Asset Bill and strengthen the department’s authority and resources for enforcing existing consumer financial protections. Modeled after the Dodd-Frank Act, the Consumer Financial Protection Bill empowers the IDFPR with the ability to target unfair, deceptive, and abusive acts and practices by unlicensed financial services providers. The bill creates the Consumer Financial Protection Law and the Financial Protection Fund, and establishes provisions related to supervision, registration requirements, consumer protection, cybersecurity, anti-fraud and anti-money laundering, enforcement, procedures, and rulemaking. The Consumer Financial Protection Bill also includes provisions concerning court orders, penalty of perjury, character and fitness of licensees, and consent orders and settlement agreements, and makes amendments to various application, license, and examination fees. The bill does so by amending the Collection Agency Act, Currency Exchange Act, Sales Finance Agency Act, Debt Management Service Act, Consumer Installment Loan Act, and Debt Settlement Consumer Protection Act.
Illinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a proposed class action alleging a defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting her biometric data and disclosing the data to a third-party vendor without first obtaining her consent. According to the plaintiff, the defendant introduced a biometric-collection system that required employees to scan their fingerprints in order to access pay stubs and computers shortly after she began her employment in 2004. Under BIPA (which became effective in 2008), section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining “a person’s biometric data without first providing notice to and receiving consent from the person,” whereas Section 15(d) provides that private entities “may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” While the plaintiff asserted that the defendant did not seek her consent until 2018, the defendant argued, among other things, that the action was untimely because the plaintiff’s claim accrued the first time defendant obtained her biometric data. In this case, defendant argued that plaintiff’s claim accrued in 2008 after BIPA’s effective date. Plaintiff challenged that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.” The U.S. District Court for the Northern District of Illinois agreed with the plaintiff but certified its order for immediate interlocutory appeal after “finding that its decision involved a controlling question of law on which there is substantial ground for disagreement.”
The U.S. Court of Appeals for the Seventh Circuit ultimately found that the parties’ competing interpretations of claim accrual were reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The question certified to the high court asked whether “section 15(b) and (d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]”
The majority held that the plain language of the statute supports the plaintiff’s interpretation. “With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub,” the high court said. The majority rejected the defendant’s argument that a BIPA claim is limited to the initial scan or transmission of biometric information since that is when the individual loses the right to control their biometric information “[b]ecause a person cannot keep information secret from another entity that already has it.” This interpretation, the majority wrote, wrongfully assumes that BIPA limits claims under section 15 to the first time a party’s biometric identifier or biometric information is scanned or transmitted. The Illinois Supreme Court further held that “[a]s the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’” However, the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” adding that because “we continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature, . . . [w]e respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
The dissenting judges countered that “[i]mposing punitive, crippling liability on businesses could not have been a goal of [BIPA], nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” “Indeed, the statute’s provision of liquidated damages of between $1000 and $5000 is itself evidence that the legislature did not intend to impose ruinous liability on businesses,” the dissenting judges wrote, cautioning that plaintiffs may be incentivized to delay bringing claims for as long as possible in an effort to increase actionable violations. Under BIPA, individuals have five years to assert violations of section 15—the statute of limitations recently established by a ruling issued by the Illinois Supreme Court earlier this month (covered by InfoBytes here).
Illinois Supreme Court sets five-year SOL for section 15 BIPA violations
On February 2, the Illinois Supreme Court held that under the state’s Biometric Information Privacy Act (BIPA), individuals have five years to assert violations of section 15 of the statute. The plaintiff sued his former employer claiming that by scanning his fingerprints, the company violated section 15(a) of BIPA (which provides for the retention and deletion of biometric data), as well as sections 15(b) and 15(d) (which provide for the consensual collection and disclosure of biometric identifiers and biometric information). According to the plaintiff, the defendant allegedly failed to implement and adhere to a publicly available biometric information retention and destruction policy, failed to obtain his consent to collection his biometric data, and disclosed his data to third parties without his consent. The defendant moved to dismiss the complaint as untimely, arguing that “claims brought under [BIPA] concern violations of privacy, and therefore, the one-year limitations period in section 13-201 of the [Code of Civil Procedure (Code)] should apply to such claims under [BIPA] because section 13-201 governs actions for the ‘publication of matter violating the right of privacy.’”
The circuit court disagreed, stating that the lawsuit was timely filed because the five-year limitations period codified in section 13-205 of the Code applied to violations of BIPA. While the circuit court agreed that BIPA is a privacy statute, it said section 13-201 of the Code applies to privacy claims where “publication” is an element of the complaint. Because the plaintiff’s complaint does not involve the publication of biometric data and does not assert invasions of privacy or defamation, the one-year limitations period should not apply, the circuit court said, further adding that BIPA is not intended “to regulate the publication of biometric data.” The circuit court also concluded that the five-year limitations period applied in this case because BIPA itself does not contain a limitations period.
The defendant amended his complaint and eventually appealed. The appellate court ultimately concluded that the one-year limitations period codified in section 13-201 of the Code applies to claims under section 15(c) and 15(d) of BIPA “where ‘publication or disclosure of biometric data is clearly an element’ of the claim,” and that the five-year limitations period codified in section 13-205 of the Code governs actions brought under section 15(a), 15(b), and 15(e) (which provides data safeguarding requirements) of BIPA “because ‘no element of publication or dissemination’ exists in those claims.” The defendant continued to argue that BIPA is a privacy statute and as such, claims brought under section 15 of BIPA should be governed by the one-year limitations period codified in section 13-201 of the Code.
In affirming in part and reversing in part the judgment of the appellate court, the Illinois Supreme Court applied the state’s “five-year catchall limitations period” to claims brought under BIPA. “[A]pplying two different time limitations periods or time-bar standards to different subsections of section 15 of [BIPA] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under [BIPA],” the Illinois Supreme Court wrote.
District Court grants summary judgment to bank in discriminatory lending suit
On December 19, the U.S. District Court for the Northern District of Illinois granted summary judgment in favor of a national bank with respect to discriminatory lending allegations brought by the County of Cook in Illinois (County). As previously covered by InfoBytes, the County alleged that the bank’s lending practices were discriminatory and led to an increase in foreclosures among Black and Latino borrowers, causing the County to incur financial injury, including foreclosure-related and judicial proceeding costs and municipal expenses due to an increase in vacant properties. In 2021, the court denied the bank’s motion to dismiss the alleged Fair Housing Act violations after determining that all the County had to do was show a reasonable argument that the bank’s lending practices resulted in foreclosures, and that the bank failed to dispute that the County properly alleged a financial injury sufficient to support standing.
The court explained in its December 19 order, however, that two of the County’s expert witnesses did not make valid comparisons when measuring the denial rate for minority borrowers compared to white borrowers. According to the court, the expert witnesses failed to properly account for the financial conditions of the borrowers seeking mortgage modifications, leaving the County with “no other evidentiary basis to establish that [the bank] engaged in intentionally discriminatory servicing practices that caused minority borrowers to disproportionately suffer default and foreclosure.” The court found that, accordingly, the County cannot demonstrate “intentional discrimination against minority borrowers that proximately caused the County’s injuries, and its disparate treatment claim accordingly cannot survive summary judgment.” Additionally, the court found that the County failed to cite authority for its arguments that the bank can be liable for loans it purchased “and for which it did not commit any discriminatory acts in servicing” or for loans it originated but sold and never serviced.
Appellate court reverses BIPA decision
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.
The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”
Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”
States say student loan trusts are subject to the CFPA’s prohibition on unfair debt collection practices
On November 15, a bipartisan coalition of 23 state attorneys general led by the Illinois AG announced the filing of an amicus brief supporting the CFPB’s efforts to combat allegedly illegal debt collection practices in the student loan industry. As previously covered by InfoBytes, in February, the U.S. District Court for the District of Delaware stayed the Bureau’s 2017 enforcement action against a collection of Delaware statutory trusts and their debt collector after determining there may be room for reasonable disagreement related to questions of “covered persons” and “timeliness.” The district court certified two questions for appeal to the U.S. Court of Appeals for the Third Circuit related to (i) whether the defendants qualify as “covered persons” subject to the Bureau’s enforcement authority; and (ii) whether the case can be continued after the Supreme Court’s 2020 decision in Seila Law v. CFPB (which determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau—covered by a Buckley Special Alert). Previously, the district court concluded that the suit was still valid and did not need ratification because—pointing to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here)—“‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the Bureau’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The district court later acknowledged, however, that Collins “is a very recent Supreme Court decision” whose scope is still being “hashed out” in lower courts, which therefore “suggests that there is room for reasonable disagreement and thus supports an interlocutory appeal here.”
The states argued that they have a “substantial interest” in protecting state residents from unlawful debt collection practices, and that this interest is implicated by this action, which addresses whether the defendant student loan trusts are “covered persons” subject to the prohibition on unfair debt collection practices under the CFPA. Urging the 3rd Circuit to affirm the district court’s decision to deny the trusts’ motion to dismiss, the states contended among other things, that hiring third-party agencies to collect on purchased debts poses a large risk to consumers. These types of trusts, the states said, “profit only when the third parties that they have hired are able to collect on the flawed debt portfolios that they have purchased.” Moreover, “[d]ebt purchasing entities, including entities like the [t]rusts, are thus often even more likely than the original creditors to resort to unlawful tactics in undertaking collection activities,” the states stressed, explaining that in order to combat this growing problem, many states apply their prohibitions on unlawful debt collection practices “to all debt purchasers that seek to reap profits from these illegal activities, including those purchasers that outsource collection to third parties.” The Bureau’s decision to do the same is therefore appropriate under the CFPA, the states wrote, adding that “as a practical matter, these debt purchasers are as problematic as debt purchasers that collect on their own debt. The [t]rusts’ request to be treated differently because of their decision to hire third party agents to collect on the debts that they have purchased (and reap the profits on) should be rejected.”
District Court says university is a financial institution exempt from state privacy law
On November 4, the U.S. District Court for the Northern District of Illinois granted a defendant university’s motion to dismiss Illinois’ Biometric Information Privacy Act claims (BIPA), ruling that because the defendant participates in the Department of Education’s Federal Student Aid Program, it is a “financial institution” subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and therefore exempt from BIPA. Plaintiff sued the defendant claiming the university used technology to collect biometric identifiers to surveil students taking online exams. According to the plaintiff, the defendant’s use of this technology violated students’ biometric privacy rights because the defendant did not obtain students’ written consent to collect and use that data, failed to disclose what happens with the data after collection, and failed to adhere to BIPA’s retention and destruction requirements.
The court disagreed and dismissed the putative class action. The court explained that the defendant’s direct student lending and participation in the Federal Student Aid Program allows it to qualify as a “financial institution,” defined by the GLBA as “any institution the business of which is engaging in financial activities.” As such, it is expressly exempt from BIPA. The court rejected plaintiff’s argument that the defendant did not fit within this definition because it is in the business of higher education rather than financial activities because at least five other courts that have also concluded that “institutions of higher education that are significantly engaged in financial activities such as making or administering student loans” qualify for exemption. The court also referred to a 2000 FTC rule issued when the Commission had both enforcement and rulemaking authority under the GLBA. The rule considered colleges and universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers,” which the court found to be “particularly persuasive because it evidences longstanding, consistent, and well-reasoned interpretation of the statute that it had been tasked to administer.”
FDIC announces Illinois disaster relief
On October 25, the FDIC issued FIL-49-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Illinois affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.