Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 11, the U.S. District Court for the Central District of California obtained two additional judgments in an action by the CFPB against a mortgage lender and several related individuals and companies (collectively, “defendants”) for alleged violations of the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), and Fair Credit Reporting Act (FCRA). These are the latest judgments reached with defendants in the ongoing litigation. (See InfoBytes coverage on previously announced settlements here, here, here, and here.)
As previously covered by InfoBytes, the Bureau filed a complaint in January 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products, but instead, the defendants allegedly resold or provided the reports to companies engaged in marketing student loan debt-relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt-relief services. The CFPB further claimed that the defendants violated the TSR and CFPA when they used telemarketing sales calls and direct mail to encourage consumers to consolidate their loans, and falsely represented that consolidation could lower student-loan interest rates, improve borrowers’ credit scores, and change their servicer to the Department of Education.
The May 11 stipulated final judgment entered against a group of corporate defendants, as well as an associated individual, requires the defendants to pay more than $18 million in consumer redress. Payment will be suspended, however, upon satisfaction of certain outlined obligations. The defendants, who neither admitted nor denied the allegations, are also obligated to pay a $125,000 civil money penalty to the Bureau, and are permanently enjoined from offering or providing debt-relief services or from using or obtaining consumer reports for any purpose. Additionally, the individual defendant is banned from using or obtaining benefit from consumer information contained in prescreened consumer reports.
On the same day, a second stipulated final judgment was entered against one of the individual defendants. The judgment requires the individual defendant to pay more than $3.4 million in redress to affected consumers, which will be partially suspended upon satisfaction of certain outlined obligations, along with a $1 civil money penalty. The individual defendant, who also neither admitted nor denied the allegations, is permanently enjoined from offering or providing debt relief services, from participating or engaging in the telemarketing of any consumer financial product or service, or from using or obtaining prescreened consumer reports for any purpose.
On May 17, the CFPB announced a settlement with a Massachusetts-based debt-settlement company for allegedly violating the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA). As previously covered by InfoBytes, the Bureau alleged the company violated the TSR and/or the CFPA by, among other things, (i) requesting and receiving payment of fees for services before renegotiating, settling, reducing, or otherwise altering the terms of at least one debt pursuant to an agreement or before a consumer had made a payment under their agreement; (ii) misrepresenting to consumers that it would not charge fees for its services until it settled a debt and consumers made payments under the settlement to the creditor; (iii) charging fees based on the amount of debt after enrollment instead of the amount of debt at the time of enrollment; and (iv) failing to disclose the amount of time it would take the company to make a settlement offer or the amount of debt the consumer would need to accumulate to make a settlement offer to each creditor. The CFPB’s original complaint had sought an injunction against the company as well as damages, redress, disgorgement of ill-gotten gains, and the imposition of civil money penalties.
The judgment, ordered by the court on May 19, requires the company to: (i) pay a $7.7 million judgment, which would be partially suspended upon the company paying harmed consumers $5.4 million; (ii) stop its deceptive practices and; (iii) pay a $1 civil money penalty.
On May 13, a Massachusetts-based custody bank entered into a deferred prosecution agreement (agreement) with the DOJ related to a criminal indictment for a single count of conspiracy to commit wire fraud. According to the DOJ’s press release, the bank acknowledged that, from at least 1998 through 2015, it, along with eight co-conspirator bank executives (collectively, “defendants”), defrauded clients of more than $290 million by charging hidden markups to out-of-pocket (OOP) expenses “on top of fees that the clients had agreed to pay the bank, and despite written agreements that caused clients to believe the expenses would be passed through to them without a markup.”
Under the terms of the agreement, the bank agreed to (i) pay a $115 million monetary penalty; (ii) continue to cooperate with the U.S. Attorney’s Office; (iii) enhance its compliance practices; and (iv) hire an independent compliance and business ethics monitor for two years. The DOJ credited the bank for (i) voluntarily disclosing its misconduct; (ii) cooperating with the DOJ’s investigation; (iii) undertaking remedial measures to enhance its compliance program and to ensure consequences for individuals and business units involved in the misconduct; (iv) reimbursing affected clients for the overbilled amounts; and (v) previously paying $88 million in civil money penalties to the SEC and $8.575 million in civil penalties to state regulators.
On May 14, the U.S. Court of Appeals for the Ninth Circuit denied en banc rehearing of CFPB v. Seila Law, LLC. As previously covered by InfoBytes, following remand from the U.S. Supreme Court, a three-judge panel of the 9th Circuit had reaffirmed a district court order granting the CFPB’s petition to enforce a civil investigative demand (CID) sent to Seila Law. The panel wrote that “Director Kraninger’s ratification [of the CID] remedied any constitutional injury that Seila Law may have suffered due to the manner in which the CFPB was originally structured. Seila Law’s only cognizable injury arose from the fact that the agency issued the CID and pursued its enforcement while headed by a Director who was improperly insulated from the President’s removal authority. Any concerns that Seila Law might have had about being subjected to investigation without adequate presidential oversight and control had now been resolved. A Director well aware that she may be removed by the President at will had ratified her predecessors’ earlier decisions to issue and enforce the CID.”
Judge Bumatay, joined by three other circuit judges, dissented from denial of en banc rehearing, arguing that “[o]ur court’s decision to deny rehearing en banc effectively means that Seila Law is entitled to no relief from the harms inflicted by an unaccountable and unchecked federal agency. Thus, while David slayed the giant, Goliath still wins.” Judge Bumatay further stressed that the doctrine of ratification does not permit the Bureau to “retroactively gift itself power that it lacked,” concluding that the panel’s condoning of the Bureau’s “power grab was erroneous.”
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer’s receipt, the customer failed to allege any concrete harm sufficient to establish standing. According to the opinion, the named plaintiff filed a class action against the merchant alleging the first six and last four digits of her credit card number were printed on her receipt—a violation of FACTA’s truncation requirement, which only permits the last five digits to be printed on a receipt. The plaintiff argued that this presented “a significant risk of the exact harm that Congress intended to prevent—the display of card information that could be exploited by an identity thief,” and further claimed she did not need to allege any harm beyond the violation of the statute to establish standing. The district court disagreed, ruling that the plaintiff “lacked standing because she alleged merely a threat of future harm that was not certainly impending” and that the merchant’s technical violation demonstrated no material risk of identity theft.
In agreeing with the district court, the 6th Circuit concluded that a “violation of the statute does not automatically create a concrete injury of increased risk of real harm even if Congress designed it so.” Moreover, the appellate court reasoned that the “factual allegations in this complaint do not establish an increased risk of identity theft either because they do not show how, even if [p]laintiff’s receipt fell into the wrong hands, criminals would have a gateway to consumers’ personal and financial data.” The appellate court further concluded, “statutory-injury-for-injury’s sake does not satisfy Article III’s injury in fact requirement” and the court must exercise its constitutional duty to ensure a plaintiff has standing.
On May 10, the U.S. Court of Appeals for the Second Circuit determined that class members have constitutional standing to sue a national bank for allegedly violating New York’s mortgage-satisfaction-recording statutes, which require lenders to record borrowers’ repayments within 30 days. The plaintiffs filed a class action suit alleging the bank’s recordation delay harmed their financial reputations, impaired their credit, and limited their borrowing capacity. The district court agreed, ruling that the plaintiffs had Article III standing to sue because the bank’s alleged violation of the mortgage-satisfaction-recording statutes created a “material risk of harm” to them.
On appeal, the majority opinion first determined, among other things, that “state legislatures may create legally protected interests whose violation supports Article III standing, subject to certain federal limitations.” The alleged state law violations in this matter, the majority wrote, constitute a concrete and particularized harm to the plaintiffs in the form of both reputational injury and limitations in borrowing capacity during the recordation delay period. Moreover, the majority concluded that the bank’s alleged failure to report the plaintiffs’ mortgage discharge “posed a real risk of material harm” because the public record reflected an outstanding debt of over $50,000, which could “reasonably be inferred to have substantially restricted” the plaintiffs’ borrowing capacity. The dissenting judge argued, however, that the plaintiffs “never suffered a cloud on title prohibiting them from selling their property, or adverse effects on their credit, or an inability to finance another property, or even a risk of these harms,” and that the “trivial nature of a recordation delay is reflected in the 30-day delay that is tolerated without penalty, and by the small penalty exacted even after 90 days.”
The 2nd Circuit joined the Third, Seventh, Ninth, and Tenth circuits in holding that state legislatures have the power to “create ‘legally protected interests’” that, when violated, satisfy Article III injury-in-fact requirement, noting that it is “aware of no Circuit holding to the contrary.”
On May 5, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a mortgage servicer in an action asserting claims arising from a homeowners’ association’s (HOA) nonjudicial foreclosure on real property in Nevada. According to the opinion, Fannie Mae originally purchased the loan on the property (secured by a Deed of Trust), which was eventually assigned to the mortgage servicer. Following the homeowners’ failure to pay their HOA dues, a foreclosure sale was held, and the property was conveyed to a limited liability company. The mortgage servicer filed a quiet title suit against the company, and the district court granted summary judgment in its favor on the basis that the Federal Foreclosure Bar (which prohibits the foreclosure of FHFA property without FHFA’s consent) “prevented the extinguishment of Fannie Mae’s Deed.”
In agreeing with the district court, the 9th Circuit first rejected two threshold challenges raised by the company, holding that the mortgage servicer “properly and timely” raised its claims under the Federal Foreclosure Bar. Specifically, the appellate court determined that the mortgage servicer “presented ample evidence of its servicing relationship with Fannie Mae,” and that this relationship, along with authority delegated to Fannie Mae loan servicers to protect its mortgage loans, “was more than sufficient to establish” that the mortgage servicer was Fannie Mae’s loan servicer and, therefore “had the authority to assert the Federal Foreclosure Bar” in quiet title action. The 9th Circuit also concluded that the mortgage servicer filed the action within the applicable six-year statute of limitations. In holding that the Federal Foreclosure Bar preempted Nevada’s HOA law and prevented the extinguishment of Fannie Mae’s Deed of Trust, the appellate court noted, among other things, that the mortgage servicer demonstrated that Fannie Mae retained an enforceable interest in the loan at the time of the HOA foreclosure sale. The 9th Circuit rejected the company’s argument that the mortgage servicer “failed to produce a ‘signed writing’ evincing such interest as required by the Nevada statute of frauds.” According to the appellate court, given that the company “was not a party to the underlying loan agreement pursuant to which Fannie Mae acquired the loan,” the company could not raise the statute of frauds.
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
On May 7, the U.S. District Court for the Southern District of New York granted a Missouri-based accounts receivable management company’s (defendant) motion for judgment on the pleadings concerning alleged FDCPA violations. The defendant stated in a collection letter that the plaintiff’s account would be placed with an attorney “for possible legal action” if repayment could not be arranged. The letter also listed two addresses—a physical office address at the top left of the letter and a P.O. Box at the top left of a detachable payment coupon at the bottom of the letter. The plaintiff alleged the letter violated Sections 1692e and 1692g of the FDCPA, claiming that the least sophisticated consumer could read the letter and think that legal action was “imminent,” which would ultimately overshadow the 30-day period to dispute the validity of the debt. The court disagreed, however, concluding that even the least sophisticated consumer would not think the use of the words “if” and “possible” in the letter in question meant that legal action was imminent. Moreover, the court ruled that the inclusion of two different addresses in the letter would not confuse anyone about where to send a dispute notification. Specifically, the validation notice in the letter informed the plaintiff that the defendant would assume the debt to be valid unless its office was notified of a dispute and the letter provided only one office address.