InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
10th Circuit affirms summary judgment in FDCPA action
On August 17, the U.S. Court of Appeals for the Tenth Circuit affirmed a district court’s decision in granting a plaintiff summary judgment, finding that the debt collector (defendant) violated the FDCPA by allegedly attempting to collect a debt despite receiving written notice disputing the debt, and by allegedly calling the defendant despite receiving a “cease-and-desist letter.” According to the opinion, the plaintiff allegedly incurred a medical debt that was placed with the defendant for collection, in which the defendant sent a letter on April 25 to the plaintiff seeking payment of the debt. On April 30, the defendant called the plaintiff and left a voice message. Subsequently, the defendant received a letter from the plaintiff on May 7 disputing the debt and demanding that the defendant cease calling, and that future correspondence should be in writing. However, the letter was not documented into the defendant’s system until May 10; meanwhile, on May 8, the defendant placed another call to the plaintiff, leaving another voice message. The plaintiff filed suit, alleging the defendant violated Section 1692g(b) of the FDCPA “by attempting to collect the debt despite receiving her written notice disputing the debt” and Section 1692g(c) of the FDCPA “by continuing to call her despite receiving her cease-and-desist letter.” The district court ruled that the plaintiff violated the FDCPA and the defendant’s bona fide error defense did not excuse the FDCPA violations, emphasizing that “the bona fide-error defense is an affirmative one, requiring that [the defendant] prove the prongs of the defense, not that [the plaintiff] disprove them.”
On appeal, the 10th Circuit agreed with the district court and cited TransUnion v. Ramirez, where the U.S. Supreme Court clarified the Spokeo standing requirements, including that the tort of intrusion upon seclusion is recognized as an intangible harm providing a basis for a lawsuit in American courts (covered by InfoBytes here). According to the opinion, in consideration of the FCRA, “the TransUnion Court noted that a company’s maintaining incorrect information in its database, absent dissemination to a third party, failed to create a harm bearing a close relationship to the common-law tort of defamation.” Further, “[w]ithout the ‘necessary’ defamation component that the tortious words were published, this harm differed in kind.” The appellate court pointed out that “this analysis doesn’t control the case at question because the plaintiff alleged the necessary components for a common-law intrusion-upon-seclusion tort.” The appellate court further affirmed that the phone call that was placed after the cease-and-desist letter was received is considered enough to confer standing for the plaintiff to sue. The 10th Circuit held, “[t]hough a single phone call may not intrude to the degree required at common law, that phone call poses the same kind of harm recognized at common law—an unwanted intrusion into a plaintiff’s peace and quiet.”
Appellate Court affirms defendant waived right to arbitration
On August 18, a Florida District Court of Appeals affirmed a district court’s decision that an auto dealer (defendant) waived its right to compel arbitration after failing to mention an arbitration provision until days before the hearing. The plaintiffs filed a class action complaint alleging that the defendant engaged in deceptive practices regarding fees on car sales. While the defendant raised seven affirmative defenses, it did not raise arbitration, even though an arbitration provision was included in the contract between the defendant and each vehicle purchaser. The defendant moved for judgment on the pleadings and argued “that the type of damages sought in the suit were unavailable under the Florida Deceptive and Unfair Trade Practices Act,” but the court denied the motion. According to the opinion, days before the hearing, the defendant “filed its motion to compel arbitration ‘in opposition to plaintiff’s motion for class certification,’ raising arbitration as an issue for the first time fourteen months after the class action complaint had been filed,” contending that it did not waive its right to arbitrate due to prior filings being defensive in nature. Later, the defendant argued that even if the court found a waiver as to the named plaintiffs, it could not have waived its right to arbitrate with the unnamed class members. The court ruled that the defendant “engaged in class discovery without objecting to it or preserving its right to compel arbitration with the unnamed class members.”
In making its decision, the appellate court cited a 2018 decision by the U.S. Court of Appeals for the Eleventh Circuit, which ruled that a bank had not waived its arbitration rights regarding the unnamed class members because it expressly stated it wished to preserve arbitration rights against those class members when the matter became ripe (covered by InfoBytes here). The appellate court agreed with the court, finding that the defendant acted inconsistently with regard to arbitration in the dispute and therefore waived any right to force the plaintiffs into arbitration.
District Court preliminarily approves $12 million class action settlement over automated mortgage errors
On August 17, the U.S. District Court for the Southern District of Ohio granted preliminary approval of a proposed settlement in a class action that claimed a national bank’s automated mortgage loan modification tools failed to approve borrowers due to technical issues. Class members (defined as borrowers who qualified during a specified time period for a home loan modification or repayment plan pursuant to the requirements of government-sponsored enterprises, FHA, or the Department of Treasury’s Home Affordable Modification Program that “were not offered a home loan modification or repayment plan by [the bank] because of excessive attorneys’ fees being included in the loan modification decision process” and whose homes were not sold in foreclosure) sued the bank alleging it “failed to detect or ignored multiple systematic errors in it automated decision-making software.” This software, class members claimed, is used to create automated calculations and determine whether consumers in default are eligible for loan modifications. According to class members, the bank allegedly “failed to adequately test, audit, and verify that its software was correctly calculating whether customers met threshold requirements for a mortgage modification” and failed to regularly and properly audit its software for compliance with government requirements, thus allowing errors to remain uncorrected. Class members further claimed that the bank apparently took several years to implement new controls and disclose the error. Under the terms of the preliminarily approved settlement, the bank must pay $12 million in relief to the settlement class.
Florida District Court of Appeals partially affirms and partially reverses ruling against national bank
On August 13, a Florida District Court of Appeals affirmed in part and reversed in part a judgment against a national bank (defendant) awarding a payment processor approximately $2 million in compensatory damages and $5 million in punitive damages. The judgment, based on a jury verdict, awarded punitive damages as a result of the conduct of the bank’s relationship manager, who negligently misrepresented to a payment processor (plaintiff) that the account of the bank’s customer, a check authorization service, was in good standing when really the bank had previously terminated the relationship. On appeal, the court found that the relationship manager was considered a mid-level employee with limited managerial authority. Therefore, the appeals court determined that the defendant could not be held directly liable for his conduct, stating that “[the employee] was not a managing agent for purposes of imposing direct liability for punitive damages,” and “the trial court erred in denying [the defendant’s] motion for judgment notwithstanding the verdict on [the plaintiff’s] punitive damage claim.”
District Court approves $28 million class action settlement over recorded calls
On August 16, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated California’s Invasion of Privacy Act by recording calls without receiving customers’ permission. Class members, comprised of California businesses who did not sign a contract for merchant processing services with the servicer, filed suit against the defendants in 2016 claiming the call center placed sales appointment calls to the businesses without disclosing that the calls were being recorded. The defendants denied any liability or knowledge of the alleged conduct, and continued to maintain “that there was no principal-agent relationship with [the call center] and, even if there were such a relationship, [the call center] acted outside the scope of its authority by illegally recording calls.” The preliminarily approved settlement will require the defendants to pay $28 million, of which up to $5,000 will be paid for each eligible call that a class member received during the class period.
CFPB appeals decision on Prepaid Accounts Rule
On August 16, the CFPB filed its opening brief in the agency’s appeal of a district court’s December 2020 decision, which granted a payment company’s motion for summary judgment and vacated two provisions of the Bureau’s Prepaid Account Rule: (i) the short-form disclosure requirement “to the extent it provides mandatory disclosure clauses”; and (ii) the 30-day credit linking restriction. As previously covered by InfoBytes, the Bureau claimed that it had authority to enforce the mandates under federal regulations, including the EFTA, TILA, and Dodd-Frank, but the district court disagreed, concluding, among other things, that the Bureau acted outside of its statutory authority with respect to the mandatory disclosure clauses of the short-form requirement in 12 CFR section 1005.18(b) by presuming that “Congress delegated power to the Bureau to issue mandatory disclosure clauses just because Congress did not specifically prohibit them from doing so.” In striking the mandatory 30-day credit linking restriction under 12 CFR section 1026.61(c)(1)(iii), the district court determined that “the Bureau once again reads too much into its general rulemaking authority,” and that neither TILA nor Dodd-Frank vest the Bureau with the authority to promulgate substantive regulations on when consumers can access and use credit linked to prepaid accounts. Moreover, the court deemed the regulatory provision to be a “substantive regulation banning a consumer’s access to and use of credit” under the disguise of a disclosure, and thus invalid.
In its appeal, the Bureau urged the U.S. Court of Appeals for the D.C. Circuit to overturn the district court’s ruling, arguing that both the EFTA and Dodd-Frank authorize the Bureau to promulgate rules governing disclosures for prepaid accounts. “The model-clause provision simply ensures that institutions will always have a surefire way of complying with the statute, even when the Bureau’s regulations do not specify how information should be disclosed,” the CFPB said, stressing that “[n]either that provision nor anything else forecloses—let alone unambiguously forecloses—rules requiring disclosures to present specified content in a specified format so that consumers are better able to find, understand, and compare products’ terms.” The decision to adopt such rules, the Bureau added, is entitled to deference. According to the Bureau, the Prepaid Account Rule “does not make any specific disclosure clauses mandatory,” and companies are permitted to use the provided sample disclosure wording or use their own “substantially similar” wording. Additionally, the Bureau argued, among other things, that “[b]y mandating optional model clauses while remaining silent about content and formatting requirements, Congress did not ‘circumscribe[] the [agency’s] discretion’ to adopt such requirements.” Instead, the Bureau contended, “whether to adopt content and formatting requirements is left ‘to agency discretion.’” Moreover, the disputed requirements “fit comfortably” within its power to regulate disclosure standards under EFTA and Dodd-Frank, the Bureau argued, adding that the law “authorizes the Bureau to ‘prescribe rules to ensure that the features of any consumer financial product or service … are fully, accurately, and effectively disclosed to consumers.’”
6th Circuit: Consumer lacks standing to bring FDCPA voice message claims
On August 16, the U.S. Court of Appeals for the Sixth Circuit held 2-1 that a plaintiff lacked Article III standing to bring claims against a debt servicer defendant for allegedly violating the FDCPA by failing to properly identify itself in voice messages. The plaintiff filed suit in 2019 alleging violations of three FDCPA provisions, including that the defendant: (i) failed to identify itself as a debt collector in its voice messages; (ii) failed to identify the “true name” of its business, thus causing the plaintiff to send a cease-and-desist letter to the wrong entity; and (iii) placed calls without meaningfully disclosing its identity. The district court granted summary judgment in favor of the defendant, ruling that because the defendant did not qualify as a “debt collector” under the FDCPA it was not subject to the statute’s requirements.
On appeal, the 6th Circuit raised the issue of standing “for the first time on appeal,” concluding that the plaintiff “does not automatically have standing simply because Congress authorizes a plaintiff to sue a debt collector for failing to comply with the FDCPA.” Pointing out that the appeal “centers on whether [the plaintiff] suffered a concrete injury,” the appellate court rejected the plaintiff’s arguments that the defendant’s statutory violations constituted a “concrete injury” and “that the confusion he suffered, the expense of counsel, and the phone call that he received from [the defendant] qualify as independent concrete injuries.” Among other things, the 6th Circuit noted that although the plaintiff claimed that the FDCPA “created an enforceable right to know who is calling about a debt and that [the defendant’s] failure to identify its full name concretely injured him,” the plaintiff ultimately failed to demonstrate that the defendant’s “failure to disclose its full identity in its voice messages resembles a harm traditionally regarded as providing a basis for a lawsuit.” Additionally, the appellate court determined that “confusion alone is not a concrete injury for Article III purposes,” and that the plaintiff “cannot show concrete harm simply by pointing to the cost of hiring counsel.” Moreover, because the plaintiff “did not clearly assert in his complaint that he received—let alone was harmed by—an additional phone call, [the appellate court] need not decide whether an unwanted call might qualify as a concrete injury.” The 6th Circuit vacated the district court’s order entering summary judgment and remanded the case to be dismissed for lack of jurisdiction.
District Court: State law right-to-cure provisions preempted by National Bank Act
On August 4, the U.S. District Court for the Western District of Wisconsin granted defendants’ motion for partial summary judgment in an action alleging claims under the FDCPA and the Wisconsin Consumer Act (WCA). The defendants were a debt-purchasing company and a law firm hired by the company to recover outstanding debt and purported late fees on the plaintiff’s account in a separate state-court action. After the plaintiff failed to make payments on his outstanding balance, the original creditor (a national bank) charged late fees and mailed him a “right to cure” letter advising him of the minimum payment due and the deadline to make the payment. The account was eventually sold to the debt-purchasing company after the plaintiff failed to make any minimum payments. The law firm sent the plaintiff two letters on behalf of the debt-purchasing company, one which outlined his right to dispute the debt and one which provided a “notice of right to cure default.” A small claims action was filed against the plaintiff in state court, in which the plaintiff argued for dismissal, contending in part that the notice of default failed to itemize delinquency charges as required under Wisconsin law. The plaintiff then filed this suit in federal court alleging violations of the FDCPA and the WCA, claiming that the defendants “falsely represented the status of his debt in violation of § 1692e by purporting to have properly accelerated his debt and filed suit against him despite [the plaintiff] never being provided an adequate right to cure letter pursuant to Wisconsin law.”
First, in reviewing whether the plaintiff had standing to sue, the court determined that the “costs, time, and energy” incurred by the plaintiff to defend himself in the state-court action amounted to a “concrete injury in fact” that established his standing in the federal-court action. However, upon reviewing the WCA’s right-to-cure provisions as the basis for the plaintiff’s claims that the defendants violated federal and state laws by allegedly falsely representing that they could accelerate the plaintiff’s debt and sue him, the court examined whether the state law’s notice and right-to-cure provisions were federally preempted by the National Bank Act (NBA), as the original creditor’s rights and duties were assigned to the debt-purchasing company when the account was sold. The court determined that while the WCA right-to-cure provisions “do relate in part to debt collection,” they also “go beyond that by imposing conditions on the terms of credit within the lending relationship.” The court ultimately concluded that the WCA provisions “are inapplicable to national banks by reason of federal preemption,” and, as such, the court found “that a debt collector assigned a debt from a national bank is likewise exempt from those requirements” and was not required to send the plaintiff a right-to-cure letter “as a precondition to accelerating his debt or filing suit against him.”
District Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.
The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.
The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.
SEC says digital asset trading company violated the Exchange Act
On August 9, the SEC announced charges against a digital asset trading company for operating an unregistered online digital asset exchange in connection with its operation of a trading platform that facilitated buying and selling of digital asset securities. According to the SEC’s order, the company operated a web-based trading platform that facilitated buying and selling digital assets, which included digital assets that were investment contracts and therefore securities. The order finds that, “[n]otwithstanding its operation of the [Company] Trading Platform, [the company] did not register as a national securities exchange nor did it operate pursuant to an exemption from registration at any time, and its failure to do so was a violation of Section 5 of the Exchange Act,” despite operating as a Rule 3b-16(a) system under the Exchange Act. The order, which the company consented to without admitting or denying the findings, imposes a disgorgement fee of $8,484,313, a prejudgment interest fee of $403,995, and a civil penalty of $1.5 million, for a total of $10,388,309. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act and establishes a fair fund for the benefit of victims.