InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California appellate court says mortgage servicers can be debt collectors under Rosenthal Act
On March 13, a California appellate court held that a mortgage servicer that engages in debt collection activities may be considered a “debt collector” under California’s Rosenthal Fair Debt Collection Practices Act (Rosenthal Act). The decision results from a class action lawsuit alleging that the mortgage servicer made hundreds of phone calls demanding mortgage payments that had already been paid or were not yet due, including making calls at inconvenient times throughout the day and using threats of negative credit reporting and foreclosure. The class action suit alleged that the mortgage servicer’s activity violated the Rosenthal Act and the California’s Unfair Competition Law. The trial court sustained the mortgage servicer’s demurrer to the plaintiff’s complaint, concluding that servicing a mortgage is not a form of collecting consumer debts. In reversing the trial court’s decision, the appellate court held that, although the language in the Rosenthal Act was ambiguous with regard to mortgage debt servicing, it should be “construed broadly in favor of protecting the public,” and thus mortgage lenders and mortgage servicers can be considered “debt collectors” within the law’s purview. The appellate court acknowledged a split among California federal courts on the issue.
NYDFS issues cybersecurity compliance certificate reminder
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”
Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.
Virginia governor enacts amendment relating to security freeze fees
On March 9, the governor of Virginia signed House Bill 1027, which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $10 to $5. Victims of identity theft remain exempt from the fee. The amendment takes effect July 1.
Payday lender settles with California DBO for interest rate cap avoidance
On March 12, the California Department of Business Oversight (DBO) announced a $160,000 settlement with the California subsidiary of a payday lender for allegedly adding improper fees to installment loan principle amounts in order to avoid the California Finance Law’s (CFL) interest rate cap. The settlement resulted from a DBO examination in which the DBO issued a finding that: (i) the lender failed to exclude fees payable to the California DMV when calculating the principal amount of certain vehicle title loans; (ii) excluding the DMV fees, the bona fide principal amount of the loans at issue was less than $2,500; and (iii) the loans were, therefore, subject to the CFL interest rate cap on loans with a principal amount of less than $2,500, which was exceeded on 591 loans. Without admitting to any wrongdoing, the lender agreed to pay an administrative penalty of approximately $78,000 to the DBO and to refund approximately $82,000 to allegedly affected borrowers.
South Dakota amends money lending licenses statute
On March 1, the South Dakota governor signed H.B.1082, amending South Dakota’s money lending licenses statute. Pursuant to H.B. 1082, engagement in the “business of lending money,” for which a license is required, is expressly defined not to include engagement in: (i) “any seller-financed transaction for the sale of assets to a purchaser”; or (ii) “any seller-financed transaction for the sale of real estate through a contract for deed,” so long as the interest rate for such transactions does not exceed the rate permitted under S.D. Code Ann. § 54-4-44.
Pennsylvania Attorney General sues ride-sharing company for 2016 data breach
On March 5, Pennsylvania Attorney General filed a lawsuit against a ride-sharing company for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose a 2016 data breach caused by hackers. The complaint alleges that after the company became aware of the breach, it “paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet.” According to the complaint, the breached data included the private information of at least 13,500 Pennsylvania drivers. The Attorney General asserts that, under the BPINA, the company must provide notice to the affected residents without unreasonable delay. Instead, the company waited until November 2017 to disclose the incident. Among other things, the complaint seeks civil penalties in the amount of $1,000 or $3,000, depending on the consumer’s age, for each individual BPINA violation.
The Pennsylvania lawsuit follows similar lawsuits by the City of Chicago and Washington State, previously covered by InfoBytes here.
Virginia Attorney General sues pension sale lender who targeted retired veterans and government employees; obtains full restitution for customers of online lender
On March 7, the Virginia Attorney General took action against Delaware- and Nevada-based installment lenders (defendants) for allegedly making illegal loans with excessive annual interest rates that were disguised as “lump sum” cash payouts to Virginia consumers, in violation of the Virginia Consumer Protection Act (VCPA). According to the complaint, the defendants disguised the high interest loans to Virginia pensioners as “Purchase and Sale Agreements” involving a “sale” or “pension advance” in an effort to bypass consumer lending laws, including TILA and Regulation Z disclosure requirements. Furthermore, the complaint alleges that the loans charged interest rates as high as 183 percent, far exceeding the state’s 12 percent annual usury cap, but because they were misrepresented as sales, defendants avoided potential private actions brought by consumers to recover excessive interest payments. The complaint seeks injunctive and monetary relief.
Separately, on February 23, the Virginia Attorney General announced a settlement with a group of affiliated online lenders and debt collectors (defendants) to resolve violations of the VCPA through the offering of unlawful open-end credit plan loans and engaging in illegal debt collection practices. According to the Assurance of Voluntary Compliance approved earlier in February, between January 2015 through mid-June 2017, the defendants (i) offered open-end credit plan loans and imposed bi-monthly “service fees” that—when calculated with the advertised interest—greatly increased the loan’s cost and exceeded the state’s 12 percent annual limit; (ii) imposed illegal finance charges and other service fees on borrowers during the required 25-day grace period; (iii) contacted consumers in an effort to collect on these loans; and (iv) contacted the consumers' employers to implement wage assignments and garnish wages from consumers' paychecks. Under the terms of the settlement, defendants will provide nearly $150,000 in restitution and debt forgiveness, pay $105,000 in civil penalties and attorneys’ fees, and are permanently enjoined from consumer lending and debt collection activities in the state.
California district court rules social media company cannot dismiss non-users’ facial scan privacy claims
On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.
New York Attorney General settles HIPAA allegations with a health insurance company
On March 6, the New York Attorney General announced a settlement with a healthcare provider for an alleged violation of the Health Insurance Portability Accountability Act (HIPAA) concerning a mailing error, which resulted in the disclosure of over 80,000 social security numbers. According to the announcement, in October 2016, the healthcare provider discovered that its mailing envelopes for certain health policies inadvertently included the customers’ social security numbers as part of the “Health Insurance Claim Number” printed on the envelope. Under the terms of the settlement, the healthcare provider is required to pay a $575,000 fine, review its policies and procedures, and implement a corrective action plan which includes an analysis of the security risks associated with the mailing of policy documents.
International bank settles with New York Attorney General for $500 million for RMBS misconduct
On March 6, the New York Attorney General announced a $500 million settlement with an international bank to resolve allegations of misrepresentations in the sale of residential mortgage-backed securities (RMBS), in violation of New York’s Martin Act and Section 63(12) of New York’s Executive Law. According to the settlement agreement, the investigation focused on 44 securitizations sold by the bank between 2006 and 2007. In addition to the alleged misrepresentations in the offering documents, the bank also included loans in the sales portfolio that due diligence vendors warned did not comply with underwriting guidelines. The $500 million settlement includes $100 million in damages to New York State and $400 million to consumer relief programs.
As previously covered by InfoBytes, the bank recently settled with the California Attorney General for misrepresentations while selling RMBS to California’s public employee and teacher pension fund.