Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”
Recently, the Texas Finance Commission adopted amendments to regulations governing residential mortgage banker, loan originator, and loan servicer licensing requirements that included updates to definitions, disclosure requirements, and other licensee duties and responsibilities. Highlights of the amendments include: (i) eliminating the requirement for a licensed mortgage company to post disclosures at its physical office; (ii) requiring disclosure of Nationwide Mortgage Licensing System and Registry (NMLS) identification information on all correspondence from a mortgage company or sponsored originator; (iii) clarifying an existing requirement that advertisements on social media sites are subject to the rules; (iv) amending regulations governing the duties and responsibilities imposed on mortgage bankers and originators to specify discrete acts listed under certain subsections to be deemed violations of certain prohibitions pursuant to Tex. Fin. Code § 156.303(a)(3); and (v) various changes to the requirements for a mortgage company and its sponsored originator to keep books and records, contained in § 80.204. The various rules are effective between January 3 and January 7.
On December 16, the enforcement section of the Massachusetts Securities Division filed an administrative complaint against a broker-dealer online trading platform alleging the company violated various state laws by using “aggressive tactics” to gain inexperienced investors. According to the complaint, the company, among other things, (i) used advertising techniques, including using young actors, to target younger individuals (with a median customer age around 31 years old) with little to no investment experience; (ii) failed to implement policies and procedures that were “[r]easonably [d]esigned to [p]revent and [r]espond to [o]utages and [d]isruptions on its [t]rading [p]latform,” resulting in nearly 70 outages throughout 2020; (iii) used “gamification strategies,” such as confetti raining down on the screen after a trade or requiring customers to “tap” a fake debit card to increase their position on the waitlist, to “lure customers into consistent participation” with the platform; and (iv) failed to review and supervise, in accordance with its own procedures, the approval of options trading accounts. The complaint asserts that the company’s tactics failed to adhere to the fiduciary conduct standard required of broker-dealers in the state of Massachusetts since the adoption of amendments in March, with enforcement beginning on September 1. Massachusetts is seeking an injunction, restitution, disgorgement, and administrative fines.
On December 14, the FTC, along with 19 federal, state, and local law enforcement partners, announced “Operation Income Illusion,” which encompasses more than 50 enforcement actions against scams targeting consumers with false promises of income and financial independence. According to an analysis of complaint data by the FTC, consumers have reported that they lost more than $610 million to income scams since 2016—with more than $150 million of losses reported in the first nine months of 2020—which the FTC attributes to the increase in scams related to the Covid-19 pandemic.
The announcement also includes four new enforcement actions and one settlement that are part of Operation Income Illusion, (i) an action and temporary restraining order against a Florida-based operation, which sold expensive memberships to programs by promoting earnings between $500 and $12,500 per sale; (ii) an action against a company with Spanish-language ads targeting Latina consumers with false promises of large profits reselling luxury products; (iii) an action and temporary restraining order against a company marketing investment-related services claiming they would enable consumers to make consistent profits off the market; (iv) an action and temporary restraining order against companies perpetuating a telemarketing scheme claiming false affiliation with Amazon.com to get consumers to purchase business opportunity programs; and (v) settlements (available here and here) with ten defendants involved in a scam targeting older adults while selling various money-making opportunities.
The other agencies reporting actions as part of the sweep include: the SEC, CFTC, the U.S. Attorney’s Office for the Eastern District of Arkansas; and state and county agencies in Arizona, Arkansas, California, Florida, Indiana, Maryland, New Hampshire, Oregon, and Pennsylvania.
On December 10, the U.S. District Court for the Middle District of Florida denied a motion to compel arbitration filed by a collection company and its chief operations officer (collectively, “defendants”), ruling that the arbitration agreements are “unconscionable” and therefore “unenforceable” because of the conditions under which borrowers agreed to arbitrate their claims. According to the order, the plaintiffs received lines of credit from an online lending company purportedly owned by a federally recognized Louisiana tribe. After defaulting on their payments, the defendants purchased the past-due accounts and commenced collection efforts. The plaintiffs sued, alleging the defendants’ collection efforts violated the FDCPA and Florida’s Consumer Collection Practices Act (FCCPA) because the defendants knew the loans they were trying to collect were usurious and unenforceable under Florida law. The defendants moved to compel arbitration based on the arbitration agreement in the tribal lender’s line-of-credit agreement, and filed—in the alternative—motions for judgment on the pleadings.
The court ruled, among other things, that while the plaintiffs agreed to arbitrate all disputes when they took out their online payday loans, the “proposed arbitration proceeding strips Plaintiffs of the ability to vindicate any of their substantive state-law claims or rights,” and that, moreover, “the setup is a scheme to hide behind tribal immunity and commit illegal usury in violation of Florida and Louisiana law.” The court also granted in part and denied in part the defendants’ motions for judgment on the pleadings. First, in denying in part, the court ruled that because the “tribal choice-of-law provision in the [tribal lender’s] account terms is invalid,” the plaintiffs’ accounts are subject to Florida law. Therefore, because Florida law is applicable to the plaintiffs’ accounts, they present valid causes of action under the FDCPA and FCCPA. The court, however, ruled that the plaintiffs seemed to “conflate Defendants’ communications to facilitate the collection of the outstanding debts with a communication demanding payment,” pointing out that FDCPA Section 1692c(b) only punishes that latter, which “does not include communications to a third-party collection agency.”
On December 14, the governor of Nevada issued Declaration of Emergency Directive 036, relating to the implementation of Senate Bill 1 (previously covered here). The directive provides that, effective December 15 through March 31, 2021, certain residential unlawful detainer or summary eviction actions against covered persons are stayed. Emergency Directives 008, 025, and 031 (covered here, here, and here) had previously prohibited such evictions through October 14.
On December 11, the governor of Illinois issued Executive Order 2020-74, which extends several executive orders through January 9, 2021 (previously covered here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here and here), and (v) Executive Order 2020-72 regarding the residential eviction moratorium (previously covered here, here, here, and here).
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on October 12, the Department released a third set of proposed modifications to the regulations that went into effect on August 14. The Department noted that it received around 20 comments in response to the third set of proposed modifications and the fourth set of proposed modifications is to address those comments and/or to clarify and conform the proposed regulations to existing law. Highlights of the proposed modifications include:
- Amending Section 999.306, subd. (b)(3), to clarify that a business that sells (previously proposed as “collects”) personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.
- The addition of Section 999.315, subd. (f), which identifies a uniform “opt-out button” to be used in addition to posting the notice of right to opt-out or used in conjunction with a “Do Not Sell My Personal Information” link.
Additionally, the Department provided notice that it added new documents and information to the rulemaking file, which was relied upon when adopting the proposed regulations.
Comments on the proposed modifications are due on December 28 by 5:00 p.m.
Virginia issues modified stay at home order identifying banks and financial institution as essential retail businesses
On December 10, the governor of Virginia issued a modified stay at home order limiting travel and gatherings for Virginia residents and operations for certain businesses. However, banks and other financial institutions with retail functions are considered essential retail businesses and may continue to remain open during normal business hours. All businesses, including essential retail businesses, are advised to adhere to the Guidelines for All Business Sectors.
On December 8, the New Jersey attorney general announced an action against a merchant cash advance provider, its parent company, and six other associated entities (collectively, “defendants”) alleging the defendants violated the New Jersey Consumer Fraud Act (CFA) and the General Advertising Regulations through the marketing and transacting of their merchant cash advance (MCA) product. (The defendants are currently facing similar allegations from the FTC, covered by InfoBytes here.) According to the complaint, the defendants engaged in “unconscionable business practices, deceived consumers, and/or made false or misleading statements” by marketing and advertising an MCA product, which was allegedly structured as a short-term, high-cost loan. New Jersey argues that the MCA contracts contain terms that “eliminate the distinctions between loans (with fixed regular payments over a defined term) and legitimate MCAs (with variable payments tied to actual receivables and an undefined term).” New Jersey asserts that traditionally, MCA’s do not have a finite repayment term and thus, the fixed repayment period was the equivalent of a loan to its customers. Moreover, the agreements’ “fixed daily payments extracted from Consumers’ accounts have little to no relation to the businesses’ receivables.” Additionally, New Jersey asserts that the defendants allegedly engaged in unconscionable collection practices, including requiring consumers to sign, in their individual capacity and on behalf of their business, an Affidavit of Confessions of Judgment to obtain the MCA, which would allow judgment against both the Consumer’s business assets and personal assets in the event of a purported default. New Jersey is seeking a permanent injunction, civil penalties, restitution, and disgorgement.
Notably, the New Jersey complaint follows a recent enforcement action against a merchant cash advance provider in California (covered by InfoBytes here), where the California Department of Financial Protection and Innovation (DFPI) found, in apparent contrast to the New Jersey action, that MCA agreements with an indefinite repayment period, among other things, operate as a loan equivalent by, placing the “risk of repayment on the merchant by leaving the repayment period open until fully repaid (with fees and interest).”
- Steven R. vonBerg to discuss "Non-QM market overview & the impact of QM 2.0" at the IMN Non-QM Virtual Conference
- Buckley Webcast: Looking ahead — Tighter scrutiny of deposit and payment practices
- Jeffrey P. Naimon to discuss "What have you bought non-QM post-Covid?" at the IMN Non-QM Virtual Conference
- Magda Gathani to discuss "Cryptocurrency meets banks" at the Women in Housing & Finance Partner Series
- Garylene D. Javier to moderate "Innovation in an evolving privacy landscape" at the American Bar Association Business Law Section Consumer Financial Services Committee Winter Meeting
- Buckley Webcast: What’s next for privacy and data security in 2021 and beyond?