InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Seila Law will not petition Supreme Court a second time
On October 8, counsel for the appellant in CFPB v. Seila Law LLC sent a letter to the U.S. Court of Appeals for the Ninth Circuit stating that, after further consideration, the law firm has decided not to seek further review from the U.S. Supreme Court in its long-running challenge with the Bureau. Seila Law’s last trip to the Court resulted in a decision that declared the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau (covered by a Buckley Special Alert). October 11 was the deadline for Seila Law to file a certiorari petition with the Court after the 9th Circuit granted the law firm’s request to stay a mandate ordering compliance with a 2017 civil investigative demand (CID) issued by the Bureau. As previously covered by InfoBytes, the order stayed the appellate court’s mandate (covered by InfoBytes here) for 150 days, or until final disposition by the Court if the law firm had filed its petition of certiorari. The letter did not explain Seila Law’s reasoning.
This announcement follows the Court’s recent decision not to hear a petition filed by a New Jersey-based finance company accused by the CFPB and the New York attorney general of misleading consumers about high-cost loans allegedly mischaracterized as assignments of future payment rights (covered by InfoBytes here), and may mark the beginning of the end of litigation over former Director Kraninger’s July 2020 ratifications of the Bureau’s private actions (covered by InfoBytes here). Since the Court’s decision in Seila, several courts have heard challenges from companies claiming the Bureau could not use ratification to avoid dismissal of their lawsuits.
Delaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.
The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.
With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”
District Court says Reg. J does not preempt state law in wire transfer case
On October 5, a federal judge for the U.S. District Court for the Western District of Pennsylvania remanded a case back to state court, holding that the Federal Reserve’s regulation governing Fedwire transfers does not completely preempt state law claims. The elderly plaintiff alleged that bank employees helped her execute wire transfers totaling $4.3 million to an unknown scam artist, but never questioned whether she “intended, or knew, that the wire transfers were being made through a crypto currency bank to a crypto currency trust company.” The plaintiff sued the bank, claiming that it was negligent in not protecting her from the scheme, and that its advertising claims about keeping client information safe from scams were misleading and violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. While recognizing that the plaintiff only asserted state law claims, the bank removed the case to federal court on the ground that the Fedwire system used to make the transfers was governed by the Fed’s Regulation J, and thus state law was preempted.
The court ruled that, while the bank could invoke Regulation J as a defense, the regulation does not expressly provide a private right to seek redress in federal court, nor does the regulation itself allow the bank to remove the case to federal court. “[T]he court concludes that the more persuasive case law reflects that only Congress (not a federal agency in a regulation) can completely preempt a state law cause of action to create removal jurisdiction.” The plaintiff did not assert federal claims, and so “[t]he mere fact that [the bank] intends to assert Regulation J as a preemption defense does not create removal jurisdiction.” Furthermore, the court cited the Fed’s commentary to Regulation J, which said regulations “may pre-empt inconsistent provisions of state law” but do not affect state law where there was no conflict. Since there was no conflict between Regulation J and the Pennsylvania law, the federal regulation does not provide the exclusive cause of action, the court said.
8th Circuit lets GSE shareholders seek retrospective relief
On October 6, the U.S. Court of Appeals for the Eighth Circuit held that Fannie Mae and Freddie Mac shareholders have standing to seek retrospective, but not prospective, relief related to their claims that they suffered damages as a result of the FHFA’s leadership structure. The shareholders alleged FHFA’s leadership structure and appointments violated the appointments clause, the separation of powers, and the non-delegation doctrine. Among other things, the shareholders claimed that (i) the Housing and Economic Recovery Act (Recovery Act), which created the agency, violated separation of powers principles because it only allowed the president to fire the FHFA director “for cause,” and (ii) FHFA acted outside its statutory authority when it adopted a third amendment to the Senior Preferred Stock Purchase Agreements, which replaced a fixed-rate dividend formula with a variable one requiring the GSEs to pay quarterly dividends equal to their entire net worth minus a specified capital reserve amount to the Treasury Department (known as the “net worth sweep”). The district court dismissed the claims for lack of standing, and in the alternative, rejected them on the merits.
The 8th Circuit began by rejecting the district court’s holding that the shareholders lacked standing. Relying on the U.S. Supreme Court’s recent ruling in Collins v. Yellen (covered by InfoBytes here), the appellate court held that the shareholders’ alleged injury flowed from the adoption of the agreement containing the net worth sweep by FHFA’s acting director, who did not properly hold office. However, the shareholders were limited to seeking retrospective relief, because prospective relief was mooted by the adoption of subsequent amendments to the agreement by validly-appointed directors.
However, the appellate court went on to hold that the shareholders were not entitled to relief based on their argument that the acting director had been in office too long in an “acting” role when he adopted the agreement. Even if the shareholders were correct, the acting director’s decisions were valid under the de facto officer doctrine, which confers validity on the acts of persons operating “under the color of official title even though it is later discovered that the legality of that person’s appointment or election to office is deficient.” Moreover, even if the de facto officer doctrine did not control, “[a]ny defect was resolved when the subsequent FHFA directors—none of whose appointments were challenged—ratified the third amendment.”
The 8th Circuit also rejected the argument that Congress unlawfully delegated authority to FHFA in the Recovery Act, finding that the statute directs FHFA “to act as a ‘conservator,’ with clear and recognizable instructions.”
Finally, the 8th Circuit did agree with the shareholders that FHFA’s leadership structure was unconstitutional because, as the Court held in Collins, it limited the president’s ability to remove the director. But the appellate court rejected the shareholders’ request that it vacate the adoption of the agreement containing the net worth sweep as a result, noting that the acting director was always “removable at will,” and that there was no allegation that subsequent agency directors (who took actions to implement the agreement) were appointed improperly. Still, the appellate court noted that, in Collins, the Court had remanded the case for a determination whether the constitutional violation “caused compensable harm” to the plaintiffs, and it did the same here.
Supreme Court won’t hear challenge to CFPB ratification
On October 4, the U.S. Supreme Court declined to hear a petition filed by a New Jersey-based finance company accused by the CFPB and the New York attorney general of misleading first responders to the World Trade Center attack and NFL retirees about high-cost loans mischaracterized as assignments of future payment rights (see entry #20-1758). In 2020, the U.S. Court of Appeals for the Second Circuit vacated a 2018 district court order, which had previously dismissed the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company (covered by InfoBytes here). At the time, the district court also rejected an attempt by then-acting Director Mulvaney to salvage the Bureau’s claims, concluding that the “ratification of the CFPB’s enforcement action against defendants failed to cure the constitutional deficiencies in the CFPB’s structure or otherwise render defendants’ arguments moot.” The 2nd Circuit remanded the case to the district court, determining that the Court’s ruling in Seila Law LLC v. CPFB (which held that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling. The appellate court further noted that following Seila, former Director Kathy Kraninger ratified several prior regulatory actions (covered by InfoBytes here), including the enforcement action brought against the defendants, and as such, remanded the case to the district court to consider the validity of the ratification of the enforcement action.
In its June petition for writ of certiorari, the company argued that the Bureau could not use ratification to avoid dismissal of the lawsuit. The company noted that while several courts, including the U.S. Court of Appeals for the Ninth Circuit (covered by InfoBytes here) have “appl[ied] ratification to cure the structural problem,” other courts have rejected the Bureau’s ratification efforts, finding them to be untimely (see a dismissal by the U.S. District Court for the District of Delaware, as covered by InfoBytes here). As such, the company had asked the Supreme Court to clarify this contradictory “hopeless muddle” by clarifying the appropriate remedy for structural constitutional violations and addressing whether ratification is still effective if it comes after the statute of limitations has expired.
As is customary when denying a petition for certiorari, the Supreme Court did not explain its reasoning.
5th Circuit: Extended overdraft charges are not interest
On September 29, the U.S. Court of Appeals for the Fifth Circuit held that the daily fees imposed on a consumer who failed to timely pay an overdraft were deposit-account service charges, not interest, and thus not subject to usury limits. The plaintiff allegedly overdrew her account and her bank paid the overdraft. The bank began charging a daily fee after the plaintiff did not repay the overdraft within five business days (called an “Extended Overdraft Charge”), which the plaintiff argued constituted interest on an extension of credit and was usurious in violation of the National Bank Act (NBA). In dismissing the plaintiff’s complaint for failure to state a claim, the district court reasoned that the bank does not make a loan to a customer when it covers the customer’s overdraft, and therefore the NBA’s limitations on interest charges do not apply. On appeal, the appellate court sided with the district court and deferred to the interpretation of the OCC that the fees at issue were not “interest” under the law. The court found the OCC’s interpretation to be reasonable and otherwise entitled to Auer deference, and on that basis affirmed.
District Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
District Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
District Court denies delay on payday lending compliance
On September 30, the U.S. District Court for the Western District of Texas denied a request made by two trade groups to stay the implementation of the payment provisions of the CFPB’s 2017 final rule covering “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (2017 Rule) while they appeal an earlier decision allowing the provisions to take effect. As previously covered by InfoBytes, the court upheld the 2017 Rule’s payment provisions, finding that the Bureau’s ratification “was valid and cured the constitutional injury caused by the 2017 Rule’s approval by an improperly appointed official.” The court also concluded that the payment provisions, as a matter of law, “are consistent with the Bureau’s statutory authority and are not arbitrary and capricious,” and that the Bureau properly considered the costs and benefits of such payment provisions. The court’s order, however, granted the plaintiffs’ request to stay the compliance date, which had been set as August 19, 2019, until 286 days after final judgment.
The plaintiffs appealed to the U.S. Court of Appeals for the Fifth Circuit and asked the district court to stay the running of the 286-day stay pending appeal, such that compliance would not be required until 286 days after the appeal is resolved. The court rejected that request, stating that the plaintiffs “failed to make a sufficient showing to warrant a stay pending resolution of the appeal” and that “the equities do not support extending the stay of the compliance date beyond the court's 286-day stay from August 30, 2021.”
District Court: Maryland escrow law does not confer private right of action
On September 22, the U.S. District Court for the District of Maryland granted a national bank’s motion for summary judgment in an action claiming the bank allegedly failed to pay interest on mortgage escrow accounts. The plaintiff filed a putative class action asserting various claims including for violation of Section 12-109 of the Maryland Consumer Protection Act (MCPA), which requires lenders to pay interest on funds maintained in escrow on behalf of borrowers. In response, the bank filed a motion to dismiss on the basis that the MCPA is preempted by the National Bank Act and by 2004 OCC preemption regulations. In 2020, the court denied the bank’s motion to dismiss after it determined, among other things, that under Dodd-Frank, national banks are required to pay interest on escrow accounts when mandated by applicable state or federal law. (Covered by InfoBytes here.) Citing previous decisions in similar escrow interest cases brought against the same bank in other states (covered by InfoBytes here and here), the court stated that Section 12-109 “does not prevent or significantly interfere with [the bank’s] exercise of its federal banking authority, because [Section] 12-109’s ‘interference’ is minimal, when compared with statutes that the Supreme Court has previously found were preempted.” The court further noted that state law—which “still allows [the bank] to require escrow accounts for its borrowers”—provides that the bank must pay a small amount of interest to borrowers if it chooses to maintain escrow accounts.
However, in its most recent ruling, the court held that the MCPA does not authorize the plaintiff to sue either. “[T]his court finds that § 12-109 does not confer a private right of action,” the court wrote, adding that the plaintiff’s breach of contract claim could not get around a notice-and-cure provision in her mortgage agreement that she had not complied with before suing. The plaintiff argued that these requirements did not apply because “her self-styled breach of contract claim is actually a statutory claim because the allegedly breached contractual provision is one which pledges general adherence to applicable law.” The court disagreed, stating that under the plaintiff’s theory “any claim for breach of contract, which also violated a federal or state law, would be vaulted to a privileged hybrid status. Such claims would enjoy an unlimited private right of action (regardless of whether the underlying statute created one) and. . .would be unbounded by any of the provisions or conditions precedent detailed in the contract itself.” The court also ruled that the plaintiff’s escrow statements, which “correctly reflected that her account was not accruing interest,” are themselves “not rendered deceptive by the mere fact that Plaintiff believes such interest is owed.”