Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court denies MSJ in FDCPA case


    On October 19, the U.S. District Court for the Middle District of Florida denied a defendant’s motion for judgment without prejudice concerning allegations that it knowingly ignored cease-and-desist letters sent by an individual while the individual had a pending bankruptcy petition. The plaintiff allegedly incurred a debt that was placed with the defendant for collection. After, the plaintiff sought protection under the Bankruptcy Code. During the bankruptcy case, the defendant allegedly sent the plaintiff text messages to collect the debt, the plaintiff responded with a cease-and-desist letter, and then the defendant sent the plaintiff a collection letter. The plaintiff sent another cease and desist letter and the defendant sent four more collection letters. Based on the defendant’s post-petition actions, the plaintiff sued for FDCPA and Florida Consumer Collection Practices Act violations. The defendant argued that the plaintiff failed to disclose this lawsuit in her bankruptcy case, which would result in the FDCPA case being dismissed on judicial estoppel grounds. However, the court found that while the plaintiff omitted the name and specific circumstances of her claims against the defendant, she “put the Bankruptcy Court, trustee, and creditors on notice she had a claim against a creditor and properly sought approval from the Bankruptcy Court before retaining counsel to pursue it.” The court went on to state that if the plaintiff “intended to deceive creditors or others in bankruptcy, filing the Application strayed from that intent,” and that “the filing mitigates any prejudice claimed by [the defendant].”

    Courts Florida FDCPA Debt Collection Bankruptcy State Issues

    Share page with AddThis
  • District Court preliminarily approves $85 million class action privacy settlement


    On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to class members, the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. The court’s preliminary approval certified a nationwide settlement class of individuals who, between March 30, 2016 and the settlement date, “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication.” Under the terms of the preliminarily approved settlement, the company will establish an $85 million non-reversionary cash fund to pay valid claims, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company must educate users about available security features, and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.   

    Courts Privacy/Cyber Risk & Data Security Settlement Class Action State Issues

    Share page with AddThis
  • District Court partially denies company’s motion to dismiss in data breach class action


    On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.

    The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.

    Courts Class Action Ransomware Negligence Data Breach State Issues Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • District Court approves non-party settlement in student debt-relief action


    On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes hereherehere, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.

    Courts CFPB Enforcement State Attorney General State Issues CFPA UDAAP Telemarketing Sales Rule FDCPA Student Lending Debt Relief Consumer Finance Settlement

    Share page with AddThis
  • States, consumer advocates urge agencies to explicitly disavow rent-a-bank schemes

    Federal Issues

    On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).

    According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.

    The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”

    Federal Issues Bank Partnership Rent-a-Bank State Regulators State Issues State Attorney General Bank Regulatory Third-Party Risk Management Third-Party FDIC OCC Federal Reserve Consumer Finance Military Lending Act

    Share page with AddThis
  • North Carolina creates regulatory sandbox

    State Issues

    On October 15, the North Carolina governor signed HB 624, which creates a regulatory sandbox program and establishes the North Carolina Innovation Council (Council). Under the North Carolina Regulatory Sandbox Act of 2021, participants will have 24 months from the date an application is approved (unless granted an extension) to test an innovative product or service on consumers in the state without being subject to state laws and regulations that normally would regulate such products or services. The waiver “shall be no broader than necessary to accomplish the purposes” established under the Act. The Act notes that legislative findings determined that existing legal and regulatory frameworks restrict innovation because they “were established largely at a time when technology was not a fundamental component of industry ecosystems, including banking and insurance,” and that innovators would benefit from a flexible regulatory regimen to test new products, services, and emerging technologies. In addition, the Council will provide support for innovation, encourage participation in the regulatory sandbox, and set standards, principles, guidelines, and policy priorities for the types of innovations supported by the regulatory sandbox. The Council will also be responsible for admission into the regulatory sandbox and for assigning selected participants to the appropriate state agency. The program stipulates that innovative products or services may only be offered to state residents, with the exception of products and services associated with a money transmitter, “in which case only the physical presence of the consumer in the [s]tate at the time of the transaction may be required.” The program also allows participants and the applicable state agency to mutually agree to an extension or an increase in the numbers of consumers or dollar limits for a particular product or service. Among other things, participants may also request an extension of not more than 12 months to obtain a license or other authorization required by law to continue to market the product or service.  The Act is effective immediately.

    State Issues State Legislation Fintech Regulatory Sandbox North Carolina

    Share page with AddThis
  • New York takes action on cryptocurrency lending platforms

    State Issues

    On October 18, the New York attorney general ordered two unregistered cryptocurrency lending platforms to immediately cease their activities in the state and directed three additional platforms to provide information about their activities and products. The AG clarified that most virtual currency lending products “fall squarely within any of several categories of ‘security’ under the Martin Act,” and therefore platforms must comply with the Martin Act’s registration requirements unless exempt. According to the AG, the virtual currency lending products identified in these actions “promise a fixed or variable rate of return to investors, and claim to deliver those returns by, among other things, trading with, or further lending those virtual assets.” As such, the products are securities under the Martin Act, particularly those that accept virtual currencies in exchange for a rate of return. The press release provided a redacted version of a cease letter sent to one of the two unregistered platforms, which stated that platforms engaging in unregistered activity have committed a fraudulent practice under the Martin Act and may face civil remedies. The platform is ordered to cease the alleged activity within 10 days or explain why the AG should not take further action. A different redacted letter requested information about the recipient’s products, where it operates, how the platform uses deposited virtual currency, whether U.S. dollars can be deposited or withdrawn from the platform, all financial institutions that are used, and whether the companies accept tethers, among other things. The letter also requested examples of agreements, contracts, and risk disclosures, as well as due diligence policies and procedures. These letters follow other actions taken recently by the AG against cryptocurrency trading platforms and token issuers (see e.g. InfoBytes here and here).

    State Issues State Attorney General Fintech Cryptocurrency Enforcement New York

    Share page with AddThis
  • District Court grants final approval in BIPA settlement


    On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly collecting and storing employees’ data in violation of Illinois’ Biometric Information Privacy Act (BIPA). According to the final settlement (which was preliminarily approved in June by the court), plaintiffs alleged that the defendant violated BIPA by collecting and disclosing Illinois employees’ biometric data through a finger-scan timekeeping system without following BIPA’s written disclosure and consent requirements. The gross settlement fund is approximately $2.6 million, with $22,000 awarded to the settlement administrator, approximately $865,000 allocated for attorney fees, and nearly $35,000 designated for litigation costs.

    Courts Class Action BIPA Privacy/Cyber Risk & Data Security Settlement State Issues

    Share page with AddThis
  • CFPB, FTC, and North Carolina argue public records website does not qualify for Section 230 immunity


    On October 14, the CFPB, FTC, and the North Carolina Department of Justice filed an amicus brief in support of the consumer plaintiffs in Henderson v. The Source for Public Data, L.P., arguing that a public records website, its founder, and two affiliated entities (collectively, “defendants”) cannot use Section 230 liability protections to shield themselves from credit reporting violations. The case is currently on appeal before the U.S. Court of Appeals for the Fourth Circuit after a district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.

    The plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency under the FCRA. According to the amicus brief, the plaintiffs’ claims do not seek to hold the defendants liable on the basis of the inaccurate data but rather rest on the defendants’ alleged “failure to follow the process-oriented requirements that the FCRA imposes on consumer reporting agencies.” According to plaintiffs, the defendants, among other things, (i) failed to adopt procedures to assure maximum possible accuracy when preparing reports; (ii) refused to provide plaintiffs with copies of their reports upon request; (iii) failed to obtain required certifications from its customers; and (iv) failed to inform plaintiffs they were furnishing criminal information about them for background purposes. The defendants argued that they qualified for Section 230 immunity. The 4th Circuit is now reviewing whether a consumer lawsuit alleging FCRA violations seeking to hold a defendant liable as the publisher or speaker of information provided by a third party is preempted by Section 230.

    In their amicus brief, the CFPB, FTC, and North Carolina urged the 4th Circuit to overturn the district court ruling, contending that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by applying its immunity provision to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when reports are prepared, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes. “As the consumer reporting system evolves with the emergence of new technologies and business practices, FCRA enforcement remains a top priority for the commission, the Bureau, and the North Carolina Attorney General,” the brief stated. “The agencies’ efforts would be significantly hindered, however, if the district court’s decision [] is allowed to stand.”

    Newly sworn-in CFPB Director Rohit Chopra and FTC Chair Lina M. Khan issued a joint statement saying “[t]his case highlights a dangerous argument that could be used by market participants to sidestep laws expressly designed to cover them. Across the economy such a perspective would lead to a cascade of harmful consequences.” They further stressed that “[a]s tech companies expand into a range of markets, they will need to follow the same laws that apply to other market participants,” adding that the agencies “will be closely scrutinizing tech companies’ efforts to use Section 230 to sidestep applicable laws. . . .”

    Courts CFPB FTC North Carolina State Issues Amicus Brief FCRA Appellate Fourth Circuit Consumer Reporting Agency

    Share page with AddThis
  • District Court allows usury claims to proceed, says class action waivers do not bar certification


    On October 14, the U.S. District Court for the Eastern District of Virginia granted class certification in an action alleging a payday lending operation violated RICO and Virginia’s usury law by partnering with federally-recognized tribes to issue loans with allegedly usurious interest rates. The plaintiffs alleged that the defendants (“founders, funders, [or] closely held owners of [a lender] that serviced the high-interest loans made by certain tribal lending entities”) participated in a lending scheme to circumvent state usury laws. The plaintiffs seek declaratory and injunctive relief, damages, and attorney’s fees and costs arising from claims alleging that the defendants, among other things: (i) used income derived from the collection of unlawful debt to further assist the operations of the enterprise; (ii) participated in an enterprise involving the unlawful collection of debt; (iii) collected unlawful debt; (iv) entered into unlawful agreements; (v) issued unlawful loans with interest rates exceeding 12 percent; and (vi) were thus unjustly enriched. The court granted class certification after finding that the existence of a class action waiver in loan agreements between plaintiffs and tribal lenders did not bar class certification. The court explained that “[b]ecause the class action waivers exist to ‘make unavailable to the borrowers the effective vindication of federal statutory protections and remedies,’ the prospective waiver doctrine applies.” The waivers were thus unenforceable.

    Courts Class Action Payday Lending Tribal Immunity Tribal Lending State Issues Usury Interest Rate RICO

    Share page with AddThis