Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 22, the U.S. District Court for the Western District of New York refused to dismiss CFPA and FDCPA claims brought by the CFPB that alleged violations related to misrepresentations made to debtors by debt collectors. The CFPB’s complaint alleged that defendants purchased defaulted consumer debt and then placed it for collection with, or sold it to, a network of debt collectors who consistently violated consumer protection laws by making false statements to debtors. These false statements included informing consumers that (i) they would be sued for failing to pay the debts; (ii) that their credit score would be impacted by paying or not paying the debt; and (iii) that they could face criminal charges for failing to pay the debt. The complaint additionally alleged that defendants were aware of the allegedly unlawful acts by the debt collectors they used through monitoring of the debt collectors and consumer complaints made to defendants.
The CFPB’s complaint alleged violations against a variety of corporate entities responsible for the alleged debt collection practices, as well as individual executives at those entities. Defendants moved to dismiss the complaint on several grounds. The defendants argued that they are not “covered persons” under the CFPA, because they do not actually collect debts themselves. The district court held that the defendants were “covered persons” under the CFPA since they were engaged in the collection of consumer debt, writing that it would “strain ordinary understanding to say that a company is not engaged in collecting debt when it purchases defaulted debt, places that debt with other companies for collection, and then receives some of the money recovered by those debt collectors.” Similarly, the defendants argued that they are not “debt collectors” under the FDCPA. The court also rejected this argument, reasoning that defendants’ principal purpose was debt collection making them a “debt collector” for FDCPA purposes, because they purchased portfolios of debts and derived most of their revenue from collecting those debts.
The district court also rejected defendants’ arguments that they could not be held vicariously liable for the conduct of the third-party debt collectors under the CFPA or FDCPA, reasoning that parties can be found vicariously liable for the acts of their agents under both statutes. The court held that because the CFPB’s complaint alleged that the defendants exercised authority over the debt collectors, vicarious liability for the violations by the debt collectors was appropriate.
The district court further held that the complaint adequately alleged violations of the CFPA by the individual defendants. The court held that the individual defendants enabled violations of the CFPA, relying on the fact that the individual defendants had both knowledge of the violations and the ability to control the violations, by either providing instructions to the debt collectors or by refusing to place debts with those collectors. Further, the court held that the individual defendants could be liable for “substantially assisting” violations of the CFPA, because the complaint alleged that the individual defendants recklessly disregarded unlawful behavior by the debt collectors and continued to place or sell debts to those collectors.
Finally, defendants also argued that both the CFPA and the FDCPA claims are time barred by the statute of limitations. The court rejected the defendants’ argument that the CFPB’s FDCPA claims were barred by the FDCPA’s one-year statute of limitations, holding that this provision applies only to private plaintiffs. The court held that FDCPA claims brought by the CFPB are subject to the CPFA’s statute of limitations, which bars claims brought more than three years after the CFPB’s discovery of the violations. The court further rejected the defendants’ argument that the claims were barred by this three-year statute of limitations, holding that it is unclear from the complaint when the CFPB became aware of facts constituting the violation and that the receipt of a consumer complaint by the CFPB will not necessarily constitute the date that the CFPB discovered or should have discovered the facts constituting the violation.
CFPB contests motions for preliminary injunctions to block enforcement of Small Business Lending Rule
On August 22, the CFPB filed an opposition to a motion made by a group of intervenors seeking to expand the scope of a preliminary injunction issued by the U.S. District Court for the Southern District of Texas, which enjoined the CFPB from implementing its Small Business Lending Rule. As previously covered by InfoBytes, the original plaintiffs in the litigation, a Texas banking association and a Texas bank, challenged the legality of the CFPB’s Small Business Lending Rule. After the American Bankers Association joined the case, the plaintiffs sought, and the court granted, a preliminary injunction enjoining implementation and enforcement of the rule against plaintiffs and their members. The intervenors, who consist of both banking and credit union trade associations, as well as individual banks and credit unions, seek a nationwide injunction that would apply beyond the parties to the case, or at least to the intervenors and their members. The CFPB’s opposition to this request for an expanded preliminary injunction argues that the intervenors fail to show that they would suffer immediate harm from enforcement of the Small Business Lending Rule.
In a related matter, on August 21, a group of Kentucky banks and a Kentucky banking association filed a motion for a preliminary injunction in the U.S. District Court for the Eastern District of Kentucky against the CFPB, seeking a preliminary injunction enjoining the CFPB from enforcing the Small Business Lending Rule against the plaintiffs and their members. Referencing the parallel Texas litigation, the Kentucky plaintiffs allege that they are entitled to an order enjoining enforcement of the Small Business Lending Rule against them for the same reasons that the Texas district court enjoined enforcement of the rule.
The most recent litigation activity follows a request from a group of trade associations to the CFPB to take administrative action to address the disparity in compliance dates that results from the district court’s injunction, a disparity that the trade associations argue is both unfair and disruptive to the market’s compliance efforts. The CFPB declined this request.
Both of these challenges to the Small Business Lending Rule point to a recent decision issued by the U.S. Court of Appeals for the Fifth Circuit in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the court found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here), as justification for why the final rule should ultimately be set aside.
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.
On August 24, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s order dismissing plaintiff’s claim that a national bank’s nearly $1.8 billion syndicated loan for a drug testing company were securities. The drug testing company filed for bankruptcy subsequent to a $256 million global settlement with the DOJ in qui tam litigation involving the company’s billing practices.
Plaintiff, a trustee of the drug testing company, brought claims to the New York Supreme Court in 2017 against defendant for violations of (i) state securities laws; (ii) negligent misrepresentation; (iii) breach of fiduciary duty; (iv) breach of contract; and (v) breach of the implied contractual duty of good faith and fair dealing. Defendant filed a notice of removal to the U.S. District Court for the Southern District of New York, where the district court denied plaintiff’s motion to remand after concluding it had jurisdiction under the Edge Act, and later granted defendant’s motion to dismiss because plaintiff failed to plead facts plausibly suggesting the notes are securities.
The 2nd Circuit held that the district court had subject matter jurisdiction pursuant to the Edge Act. The court then applied a “family resemblance” test to determine whether a note is a security and examined four separate factors to help uncover the context of a note. In comparing the loan note to “judicially crafted” list of instruments that are not securities, the court found that the defendant’s note “‘bears a strong resemblance’” to one, therefore concluding that the note is not a security and affirming the district court’s earlier decision.
On August 21, the U.S. Court of Appeals for the Second Circuit upheld the dismissal of a whistleblower False Claims Act (FCA) case, holding that FCA qui tam relator complaints may be dismissed upon the government’s motion without a hearing, provided the district court consider the parties’ arguments. The plaintiff qui tam here alleged that a bank (defendant) failed to pay penalties to the government for violating economic sanctions. Plaintiff’s complaint specifically alleged that defendant facilitated illegal transactions violating economic sanctions and defrauded the government by concealing the extent of its illegal activities during negotiation of a deferred prosecution agreement. In a summary order without precedential effect, the 2nd Circuit upheld the dismissal of plaintiff’s complaint.
Plaintiff’s complaint was initially dismissed by the district court following a motion to dismiss by the government, which intervened in the action to argue that the complaint should be dismissed because it lacked merit and would waste government resources. Consideration of plaintiff’s appeal of the dismissal was delayed until after the Supreme Court issued a decision in Polansky v. Executive Health Resources, Inc., a different FCA case raising applicable issues regarding when the government has the authority to force the dismissal of an FCA case brought by a whistleblower.
Following the Supreme Court’s ruling in Polansky, the 2nd Circuit upheld the dismissal of plaintiff’s complaint, reasoning that district court properly dismissed the qui tam relator claim after the government’s intervention seeking dismissal, since the defendant bank had not yet answered the complaint or moved for summary judgment. The 2nd Circuit held that “the district met the hearing requirement” established by Polansky for dismissing qui tam relator cases through its careful consideration of the briefs and materials submitted by the parties. In reaching this conclusion, the 2nd Circuit noted that Polansky does “not mandate universal requirements” for an FCA hearing in every case. The 2nd Circuit also rejected plaintiff’s due process arguments, plaintiff’s claim that the court failed to evaluate defendant’s settlement with the government resolving related criminal and administrative violations, and plaintiff’s claim that the district court erred in denying its motion for an indicative ruling, based on new evidence published while the appeal was pending.
On August 22, the DOJ and the FTC jointly announced a permanent injunction and civil penalty of $650,000 against a company that offers credit information, analytical tools, and marketing services for alleged violations of the CAN-SPAM Act, the CAN-SPAM Rule, and the FTC Act. The case, which was filed in the District Court for the Central District of California, asserts that millions of commercial emails sent to consumers did not give the recipients requisite notice of the option to opt-out of future such emails, in violation of the CAN-SPAM Act and Rule. The order enjoined the company from sending commercial emails that do not provide notice of the recipient’s ability to opt-out of future emails, it also enjoins the company from otherwise violating the CAN-SPAM Act, and subjects it to a civil penalty judgment of $650,000.
On August 21, the FTC announced it has stopped California-based scammers (defendants) who allegedly preyed on students seeking debt relief by pretending to be affiliated with the Department of Education. According to the August 14 complaint, since at least 2019, the defendants allegedly targeted students and illegally collected $8.8 million in advance fees in exchange for student loan debt relief services that did not exist. The defendants allegedly misled consumers by charging them for services that are free through the Department of Education, claiming consumers needed to pay fees or make payments to access federal student loan forgiveness, using names like "Biden Loan Forgiveness," that does not correspond to any actual government program. For instance, one consumer was asked to pay $375 for a processing fee to have up to $20,000 in loans forgiven because of a Pell Grant. Another was told they would get a $10,000 reduction in their loan balance and a new repayment plan with six $250 monthly payments under the “student loan forgiveness program.” The FTC alleges violations of Section 5 of the FTC Act, which prohibits deceptive acts or practices, TCPA, and the Gramm-Leach-Bliley Act. The complaint also alleges that the defendants used such misrepresentations to illegally obtain consumers’ banking information, and typically collected hundreds of dollars in unlawful advance fees—sometimes through remotely created checks in violation of the Telemarketing Sales Rule. The U.S. District Court of the Central District of California filed a temporary restraining order, resulting in an asset freeze, among other things. The FTC seeks preliminary, and permanent injunctive relief, monetary relief, and other relief.
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its photo service as closely as it protected other types of data and violated its own policy governing biometric identifier storage. BIPA requires companies to store, transmit, and protect biometric data using the reasonable standard of care within the company’s industry and to protect that data in either the same or more protective manner as it protects other types of confidential data.
In permitting the complaint to move forward, the court noted that the defendant’s internal documents allegedly show that it made minimal investment in its photo service and made no attempt to identify flaws in the system. Further, the court referred to allegations in the complaint that the defendant devotes fewer resources and staffing to protecting the photo service. The court noted that the allegations were sufficient because the lack of protocols made consumers’ critical metadata “vulnerable to attacks.”
In granting the motion related to violation of the defendant’s policies, the court noted that plaintiffs did not show they were personally injured by the alleged violation. The defendant’s policy requires it to delete files for accounts that have been abandoned for two years, for which image recognition was disabled, or where user deleted their photo account. However, the court concluded that the complaint did not allege that plaintiffs did any of these actions.
On August 15, the USDA filed a brief urging the U.S. Supreme Court to overturn a U.S. Court of Appeals for the Third Circuit decision to reverse its FCRA lawsuit brought by a plaintiff who alleged that the consumer credit reporting agency reported two loans as past due even though he claimed both were closed with a $0 balance. In August 2022, the 3rd Circuit reversed a district court’s decision to grant a student loan servicer, consumer credit reporting agency, and the USDA’s (defendants) motion to dismiss a case finding that Congress unambiguously waived the government’s sovereign immunity in enacting FCRA (covered by InfoBytes here). The USDA argues that the district court was wrong in its decision, and that the FCRA does not waive the U.S.’s sovereign immunity for claims under 15 U.S.C. 1681n and 1681o because, among other things, (i) a waiver of sovereign immunity requires “unmistakably clear” statutory language; (ii) the FCRA does not create a cause of action that “‘expressly authorizes suits against sovereigns,’ and ‘recognizing immunity’ would ‘negate’ that express authorization”; (iii) the FCRA uses “persons” in a way that does not distinguish between sovereign and non-sovereign senses; (iv) “inexplicable incongruencies” with the term “person” within the context of §§ 1681n and 1681o includes a sovereign entity, which would not only expose the federal government but also individual states to potential lawsuits seeking monetary damages; and (v) interpreting the FCRA to permit lawsuits against the U.S. would significantly broaden the scope of liability for federal agencies, creating “overlap” already provided by the Privacy Act.
On August 14, the U.S. District Court for the Eastern District of Michigan dismissed without prejudice a lawsuit filed against the federal government aimed at blocking the Biden administration’s effort to provide debt relief to student borrowers (covered by InfoBytes here). U.S. District Judge Thomas L. Ludington held that the plaintiffs lacked standing because they failed to plausibly demonstrate how the government’s plans would impact their efforts to recruit participants as qualified employers under the Public Service Loan Forgiveness program. The court detailed that “[Plaintiffs] merely make vague and conclusory statements that some ‘undisclosed’ number of borrowers will receive credit toward loan forgiveness for some periods of forbearance” but “do not allege that any current employee received Adjustment credit.” Furthermore, any such “hypothetical injur[y]” would be traceable to “Plaintiffs’ own employees or prospective employees, not the Adjustment.” Because there was no standing, the court dismissed the complaint without prejudice and denied the plaintiffs’ motion for a temporary restraining order and preliminary injunction as moot.