InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia reaches settlement with open-end credit plan lender
On March 4, the Virginia attorney general announced a settlement with an open-end credit plan lender, resolving allegations that the company violated Virginia consumer finance laws by (i) imposing a $100 origination fee on loans during a statutorily-mandated finance charge-free grace period; (ii) “[e]ngaging in a pattern of repeat transactions and ‘rollover’ loans with thousands of consumers who were required to close accounts that they paid down to a $0 balance,” but were then allowed to open new accounts for which new fees were charged on a monthly basis; and (iii) charging interest on accounts at an annual rate of 273.75 percent, far exceeding the 36 percent limit that open-end credit lenders are allowed to charge. Under the terms of the settlement, the company is permanently enjoined from further violating Virginia’s consumer finance laws, and is required to pay $850,000 in restitution and $150,00 in attorneys’ fees and settlement costs. The company must also provide more than $10 million in debt forbearance on “accounts that remain unpaid and that were not converted to a separate loan program in October 2018.”
Illinois reissues and extends several Covid-19 executive orders
On March 5, Illinois Governor JB Pritzker issued Executive Order 2021-05, which extends several executive orders through April 3, 2021 (previously covered here, here, here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here), and (v) Executive Order 2020-72 regarding the residential eviction moratorium (previously covered here and here).
NYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
New York warns of “extreme risk” with cryptocurrency trading
On March 1, the New York attorney general issued two alerts warning investors about the “extreme risk” facing New Yorkers investing in virtual or “crypto” currency. The first investor alert directs investors to take caution when investing in virtual currencies because, among other reasons, virtual currency trading platforms provide limited protection from fraud as “[m]ost platforms are subject to little or no oversight.” The second industry alert is directed towards broker-dealers, salespersons, and investment advisors, and provides a reminder that “people and entities dealing in virtual or ‘crypto’ currencies that are commodities or securities in the state of New York, and who do not qualify for an exemption, must register with the Office of the Attorney General,” and that failing to do so will expose them to both civil and criminal liability. The alerts follow an agreement entered last month (covered by InfoBytes here) between the AG and the operators of a virtual currency trading platform and a “tether” virtual currency issuer, along with their affiliated entities, which resolved allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds.
Virginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018, California became the first state to put in place significant consumer data privacy measures (covered by a Buckley Special Alert). As previously covered by InfoBytes, under the VCDPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The VCDPA also outlines controller responsibilities, including a requirement that, among other things, controllers must enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. While the VCDPA explicitly prohibits a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. Additionally, upon discovering a potential violation of the VCDPA, the attorney general must give the data controller written notice and allow the data controller 30 days to cure the alleged violation before the attorney general can file suit. The VCDPA takes effect January 1, 2023.
California extends commercial foreclosure and eviction moratorium
On March 4, the California governor issued Executive Order N-03-21 extending the protections against commercial foreclosures and evictions arising from the nonpayment of rent or mortgage payments due to a substantial decrease in income or increase in medical expenses caused by the Covid-19 pandemic (previously discussed here and here) to June 30, 2021.
Court approves $9.7 million overdraft fee settlement
On February 25, the U.S. District Court for the Northern District of New York approved a roughly $9.7 million class action settlement resolving claims that a New York credit union improperly assessed banking fees, including overdraft fees, when members had sufficient funds in their checking accounts to pay for the transactions presented for payment. The plaintiffs also alleged, among other things, that the credit union (i) improperly charged fees on a variety of transactions for members who did not opt-in to the credit union’s protection programs; (ii) assessed fees in instances where there was no contractual basis to assess the fees; (iii) transferred money from members’ savings accounts into checking accounts to avoid negative balances and resulting fees, but still imposed the fee; and (iv) violated the terms of its contracts and various laws by imposing non-sufficient funds fees more than once on the same transaction. The settlement requires the credit union to pay approximately $5.85 million into a settlement fund, plus nearly $2.53 million in attorneys’ fees, $168,030 in costs, and $15,000 service awards to each of the three named plaintiffs. The settlement amount also includes the value of the policy changes to be made by the credit union.
CFPB, Maryland reduce disgorgement amount in mortgage kickback case
On February 25, the U.S. District Court for the District of Maryland granted a motion for entry of monetary remedy filed by the CFPB and the Consumer Protection Division of the Maryland Attorney General’s Office (collectively, “Regulators”) in an action concerning the disgorgement calculation for a banker found in contempt of a 2015 consent order. As previously covered by InfoBytes, in 2020, the U.S. Court of Appeals for the Fourth Circuit found that while the district court properly determined that the banker violated the terms of the consent order (which previously settled RESPA and state law mortgage-kickback allegations), the court relied on an overbroad interpretation of the consent order and lacked the causal connection between the banker’s profits and a violation when it ordered the banker to pay over $526,000 in disgorged income. The 4th Circuit vacated the disgorgement order and remanded the case to the court to reassess the disgorgement calculation based on the banker’s more limited conduct that did not comply with the order.
On remand, the court reduced the sanctions amount to approximately $270,000, which represents the banker’s earned income (after taxes) “during the period in which he defied the three express provisions of the Consent Order.” Noting that the 4th Circuit rejected the banker’s argument that the Regulators were required to prove a specific monetary harm arising from his violations, the court wrote that in instances “[w]here harm is difficult to calculate, ‘a court is wholly justified in requiring the party in contempt to disgorge any profits it may have received that resulted in whole or in part from the contemptuous conduct,’” particularly where the party engaged in a “pattern or practice” of such conduct.
Court says Kansas credit card surcharge ban is unconstitutional
On February 25, the U.S. District Court for the District of Kansas granted in part and denied in part a plaintiff’s motion for summary judgment in an action concerning whether a state statute that bans credit card surcharges violates the First Amendment. Kansas law prohibits merchants from imposing a surcharge on customers who pay with credit cards instead of cash, and allows merchants to offer discounts to consumers who pay with cash. The plaintiff, a payment processing technology company, provides “software that allows merchants to display prices, including cost surcharges on purchases made by credit card,” which “allows consumers to comparison shop among payment types.” The plaintiff challenged the constitutionality of the law, claiming it is an unconstitutional restriction on commercial speech since it “effectively limits” what the plaintiff and merchants “can treat as the ‘regular price’ of an item and the corresponding information about prices and credit card fees that can be conveyed to consumers.” The Kansas attorney general—who has the authority to enforce the state’s no-surcharge statute—countered, among other things, that the statute furthers substantial state interests by (i) encouraging merchants to charge lower prices to customers who pay with cash; (ii) lowering the amount of consumer credit card debt through the use of cash discounts; and (iii) providing benefits to merchants by encouraging cash purchases, thereby allowing them to receive immediate payments, avoid credit card fees, and incur lower costs.
The court disagreed, ruling that none of the AG’s arguments advanced a substantial state interest—a requirement in order to not be considered a violation of the First Amendment. “Plaintiff's desire to display a single price while informing customers that credit card purchasers will be charged an additional fee would logically tend to support whatever interest the state may have in encouraging lower prices for cash customers,” the court wrote. “The statute nevertheless effectively prohibits this type of disclosure. Clearly, this restriction on speech is more extensive than necessary to further the asserted state interest.” Moreover, the court noted that “‘surcharges and discounts are nothing more than two sides of the same coin; a surcharge is simply a ‘negative’ discount, and a discount is a ‘negative’ surcharge.”
Court approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court in August due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” (See InfoBytes coverage here.) The final settlement requires the social media company to pay $650 million in a settlement fund, plus $97.5 million for attorneys’ fees and expenses and $5,000 service awards to each of the three named plaintiffs. The social media company is also required to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used. Face templates for class members who have not had any activity on the social media platform will also be deleted. The court called the settlement a “landmark result,” noting it is one of the largest settlements ever for a privacy violation, and will provide each claimant at least $345.