InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Court denies CFPB motion to reconsider, applies new RESPA safe harbor
On March 22, the U.S. District Court for the Western District of Kentucky denied the CFPB’s motion to reconsider an opinion issued in July 2017, which held that a safe harbor provision for affiliated business arrangements under Section 8(c)(4) of RESPA protects a Louisville law firm's relationship with a string of now-closed title insurance agencies (previously covered by InfoBytes here). In denying the request, the court clarified its previous reasoning and found that the transactions did not violate Section 8(a) because the law firm did not give the title insurance agencies a “thing of value,” and even assuming a violation, the safe harbor under Section 8(c)(2)—even though the court previously relied on Section 8(c)(4)—applied. The court relied on the D.C. Circuit’s 2016 interpretation of Section 8(c)(2) in PHH Corporation v. CFPB, which found that payments made in exchange for a service “actually received” is not the same as payments made for referrals and a payment is bona fide if it amounts to “reasonable market value” for the service. In applying the PHH holding to the present facts, the court concluded that the payments consumers made to the title agencies, which were subsequently distributed as profits to corresponding partners, were made in exchange for title insurance that was actually received by the consumer. Moreover, the court noted that there was no evidence that the payments were above market value, and therefore determined they were bona fide. Lastly, the opinion emphasized that the purpose of RESPA is to prevent unnecessary increases in costs of certain settlement services for consumers, and the payments resulting from the relationship between the law firm and the title agencies not only were for services actually received but were not found to increase the cost of those services at settlement.
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
FTC challenges virtual currency “chain referral schemes”—creates new working group
On March 16, the FTC announced that a U.S. District Court for the Southern District of Florida granted a temporary restraining order against four individuals who allegedly promoted cryptocurrency “chain referral schemes” in violation of the FTC Act. According to the complaint, the defendants falsely promised that by paying a small sum in virtual currency to enroll, such as bitcoin or Litecoin, the participant could earn significant returns. Three of the defendants promoted schemes that claimed participants could turn $100 into $80,000 in monthly income based on recruiting additional participants, when in actuality most of the participants failed to recoup their initial investments. Additionally, the fourth defendant promoted another scheme, which promised virtual currency investors a fixed rate of return on bitcoin investments in a passive investment operation and a multilevel investment program which participants would receive a commission for recruiting more investors. The scheme allegedly ended within two months of opening and many investors failed to recover the initial investments.
On the same day, the FTC announced a new FTC Blockchain Working Group, which will (i) “build on FTC staff expertise in cryptocurrency and blockchain technology through resource sharing and by hosting outside experts”; (ii) “facilitate internal communication and external coordination on enforcement actions and other related projects”; and (iii) “serve as an internal forum for brainstorming potential impacts on the FTC’s dual missions and how to address those impacts.” The announcement highlighted the properties of cryptocurrencies that make the payment form susceptible to scammers, including the fact that it can be transferred electronically without requiring validation from a trusted third party source.
Buckley Sandler Special Alert: D.C. Circuit significantly narrows FCC’s order defining autodialer
On March 16, the D.C. Circuit issued its much-anticipated ruling in ACA International v. FCC. The D.C. Circuit’s ruling significantly narrows a Federal Communication Commission order from 2015, which, among other things, had broadly defined an “autodialer” for purposes of the Telephone Consumer Protection Act.
* * *
Click here to read the full special alert.
If you have questions about the ruling or other related issues, please visit our Class Actions practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.California appellate court says mortgage servicers can be debt collectors under Rosenthal Act
On March 13, a California appellate court held that a mortgage servicer that engages in debt collection activities may be considered a “debt collector” under California’s Rosenthal Fair Debt Collection Practices Act (Rosenthal Act). The decision results from a class action lawsuit alleging that the mortgage servicer made hundreds of phone calls demanding mortgage payments that had already been paid or were not yet due, including making calls at inconvenient times throughout the day and using threats of negative credit reporting and foreclosure. The class action suit alleged that the mortgage servicer’s activity violated the Rosenthal Act and the California’s Unfair Competition Law. The trial court sustained the mortgage servicer’s demurrer to the plaintiff’s complaint, concluding that servicing a mortgage is not a form of collecting consumer debts. In reversing the trial court’s decision, the appellate court held that, although the language in the Rosenthal Act was ambiguous with regard to mortgage debt servicing, it should be “construed broadly in favor of protecting the public,” and thus mortgage lenders and mortgage servicers can be considered “debt collectors” within the law’s purview. The appellate court acknowledged a split among California federal courts on the issue.
9th Circuit denies bank’s challenge to FDIC bank secrecy order
On March 12, the U.S. Court of Appeals for the 9th Circuit upheld a 2016 FDIC cease and desist order against a California bank arising out of alleged deficiencies in compliance management relating to the Bank Secrecy Act (BSA) and anti-money laundering laws. According to the opinion, FDIC examinations dating back to 2010 identified areas for BSA compliance improvement. While the bank made adjustments in response to the original findings, a 2012 FDIC examination found the bank’s BSA compliance program still was deficient, including because it did not “establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training”—known as the “four pillars”—and because the bank had not filed a necessary suspicious activity report. The bank argued that the BSA compliance standards were too vague, accused FDIC examiners of bias during the examination in a manner that violated its due process rights, and alleged that the decision was not supported by substantial evidence.
The three-judge panel ruled that (i) there was no bias in the FDIC’s decision to assess a penalty against the bank because there was substantial evidence to support an administrative law judge’s findings that the bank’s failure to maintain adequate controls violated BSA regulations; and (ii) because the BSA and FDIC’s implementing regulations are “economic in nature and threaten no constitutionally protected rights,” vagueness is not an overriding concern. While the “four pillars” of BSA compliance are open to interpretation, the panel noted, the FDIC provides banks with a manual written by the Federal Financial Institutions Examination Council that sets forth a uniform compliance standard. Furthermore, FDIC Financial Institution Letter 17-2010 clarifies that the manual contains the FDIC’s BSA compliance supervisory expectations. “A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. . . . The BSA and its implementing regulations are not unconstitutionally vague,” the panel stated. Therefore, the 9th Circuit held that the manual was entitled to Chevron deference and denied the bank’s petition for review.
District Court denies payment company’s request to set aside judgment
On March 12, the U.S. District Court for the Northern District of California denied a company’s post-trial motions to set aside September 2017 judgments in a lawsuit brought by the CFPB for alleged violations of the Consumer Financial Protection Act (CFPA). Specifically, the bi-weekly payments company requested that the court set aside its injunction and reconsider a $7.93 million penalty in light of “new evidence” that demonstrated the company’s inability to pay the penalty. As previously covered by Infobytes, the CFPB filed the lawsuit in 2015, alleging, among other things, that the company made misrepresentations to consumers about its bi-weekly payment program by overstating the savings provided by the program and creating the impression the company was affiliated with the consumers’ lender. In denying the company’s motion, the court held that the company failed to present new evidence that would justify the relief. Additionally, the court rejected the argument that the permanent injunction placed on the company was overly burdensome, stating “in light of the evidence of defendants[’] prior practices…the limitations of the injunction reflect appropriate safeguards ‘to avoid deception of the consumer.’”
California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach
On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach.
9th Circuit reinstates class action data breach lawsuit against online retailer
On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.
The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”
District Court recognizes CFTC authority to regulate virtual currency as commodities
On March 6, the U.S. District Court for the Eastern District of New York granted the CFTC’s request for preliminary injunction against defendants alleged to have misappropriated investor money through a cryptocurrency trading scam, holding that the CFTC has the authority to regulate virtual currency as commodities. The decision additionally defined virtual currency as a “commodity” within the meaning of the Commodity Exchange Act (CEA) and gave the CFTC jurisdiction to pursue fraudulent activities involving virtual currency even if the fraud does not directly involve the sale of futures or derivative contracts. However, the court noted that the “jurisdictional authority of CFTC to regulate virtual currencies as commodities does not preclude other agencies from exercising their regulatory power when virtual currencies function differently than derivative commodities.” Under the terms of the order, the defendants are restrained and enjoined until further order of the court from participating in fraudulent behavior related to the swap or sale of any commodity, and must, among other things, provide the CFTC with access to business records and a written account of financial documents.
Find continuing InfoBytes coverage on virtual currency oversight here.