InfoBytes Blog

11th Circuit: Statements indicating accrual of debt balance following settlement are enough to state a claim

On July 1, the U.S. Court of Appeals for the Eleventh Circuit overturned a district court’s dismissal of an FDCPA case, holding that statements sent to plaintiffs indicating that a debt balance was accruing after a settlement had been reached is enough to state a claim. According to the opinion, the plaintiffs defaulted on a mortgage and a servicer sued for foreclosure. While the foreclosure suit was pending, the defendant took over servicing of the loan. A “disagreement” arose, which led the plaintiffs to sue the defendant. A settlement was reached and it was agreed that the plaintiffs owed $85,790.99, which was to be paid in one year. However, four months later, the defendant sent a mortgage statement notifying the plaintiffs that their loan had “been accelerated” because they were “late on [their] monthly payments.” On the defendant’s “fast-tracked timetable,” the plaintiff owed $92,789.55 to be paid in a month, and if they did not pay, the defendant’s statement stated that they risked more fees and “the loss of [their] home to a foreclosure sale.” The plaintiffs continued to receive statements and the amount due increased monthly. The plaintiffs sued, saying the defendant violated the FDCPA by sending statements with incorrect balances. A district court ruled the periodic statements were unrelated to debt collection because the defendant was required to send monthly updates under TILA. The district court further determined that the plaintiffs failed to state an FDCPA claim, declined to exercise supplemental jurisdiction over the Florida law claims, and dismissed the complaint.

On appeal, the 11th Circuit ruled that statements must comply with the FDCPA, even if they are not required to be sent under the statute. The 11th Circuit reiterated that the respective requirements of TILA and the FDCPA can be approached in a “harmonized” fashion, stating that “a periodic statement mandated by [TILA] can also be a debt-collection communication covered by the FDCPA.” The appellate court reversed the district court’s dismissal because “the complaint here plausibly alleges that the periodic statements sent to the plaintiffs aimed to collect their debt.”

Courts Appellate Eleventh Circuit FDCPA TILA State Issues Florida Debt Collection

Collection agency to pay $10,000 for operating without a license in Connecticut

On June 24, the Connecticut Department of Banking issued a consent order against a company for operating as a consumer collection agency without obtaining the proper license. According to the order, the company filed a consumer collection agency license application in Connecticut in June 2020. However, during its review of the company’s application, the Department of Banking discovered that it had been operating as a consumer collection agency without a license in the state since 2019. Under the terms of the consent order, the company must pay a civil penalty fine of $10,000, and pay $800 to cover licensing fees.

State Issues Licensing Connecticut State Regulators Enforcement

Louisiana lets financial institutions, trust companies provide virtual currency custody

Recently, the Louisiana governor signed HB 802, which permits financial institutions or trust companies to provide customers with virtual custody services so long as there are “adequate protocols in place to effectively manage risks and comply with applicable laws.” A “trust company” is defined as “a corporation or a limited liability trust company organized in accordance with this Title, the laws of another state, or pursuant to the laws of the United States, including a trust company organized pursuant to the laws of this state before June 27, 2003, or an entity chartered to act as a fiduciary that is neither a depository institution nor a foreign bank.”

Before offering virtual currency custody services, a financial institution or trust company must conduct a “methodical self-assessment” to examine the risks involved in offering such services. Should it decide to offer such services, the financial institution or trust company must: (i) “[i]mplement effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirm adequate insurance coverage for such services is in place; and (iii) “[m]aintain a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services.” A financial institution or trust company may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity, consistent with its charter. If such services are provided in a nonfiduciary capacity, the financial institution or trust company will “take possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e., “the customer shall retain direct control over the keys associated with his virtual currency”). Should services be provided in a fiduciary capacity, a financial institution or trust company must “require customers to transfer their virtual currencies to the control of the financial institution or trust company by creating new private keys to be held by the financial institution or trust company.” In its fiduciary capacity, a financial institution or trust company has the “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” Additionally, a financial institution or trust company may also provide virtual currency custody services through third-party service providers. HB 802 takes effect August 1.

State Issues Digital Assets State Legislation Louisiana Virtual Currency

Louisiana enacts student loan servicer provisions, establishes requirements for private education lenders

On June 18, the Louisiana governor signed HB 610, which defines terms and outlines provisions related to student loan servicers. Among other things, the act prohibits servicers from misleading student loan borrowers or engaging in any unfair, abusive, or deceptive trade practice. Servicers are also prohibited from making misrepresentations or omitting information related to fees, payments, repayment options, loan terms and conditions, or borrower obligations. Moreover, servicers may not “[a]llocate a nonconforming payment in a manner other than as directed by the student loan borrower” under certain circumstances. The act also outlines duties related the furnishing of information to consumer reporting agencies, providing that a servicer may not (i) submit inaccurate information to a consumer reporting agency; (ii) refuse to correct inaccurately furnished information; (iii) fail to report a borrower’s favorable payment history at least once a year; (iv) refuse to communicate with a borrower’s authorized representative; and (v) make false statements or omit material facts connected to a state or local agency investigation. Additionally, the act specifies responsibilities related to responding to written inquires and complaints from consumers.

The same day, the governor also signed HB 789, which establishes a private student loan registry and outlines provisions related to private education lenders. The act stipulates that all private education lenders operating in the state must register with the commissioner, which may include the payment of fees and registration through the Nationwide Multistate Licensing System and Registry. However, the act allows the commissioner to prescribe an alternative registration process and fee structure for postsecondary education providers. These registration requirements are not applicable to banks, savings banks, savings and loan associations, or credit unions operating pursuant to authority granted by the commissioner. Private education lenders will also be required to comply with certain reporting requirements, including providing information related to the schools where the lender has made loans to students residing in the state, the total number and dollar amount of loans made annually, interest rate ranges, borrower default rates, copies of promissory notes and contracts, and cosigner loan statistics, among others.

Both acts take effect August 1.

Licensing State Issues State Legislation Louisiana Student Lending Student Loan Servicer Consumer Finance NMLS UDAP

DFPI concludes MTA licensure not required for donations to NPOs

Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to certain agent of payee requirements. The redacted opinion letter examines whether the inquiring company’s product for donations to nonprofit organizations (NPOs) is exempt from the MTA. DFPI also reviewed whether: (i) money held by the company in an operating account, related to MTA-exempt activities such as NPO donations, is stored value; and (ii) closed loop transactions, and specific bank-issued open-loop gift cards without cash access, are exempt from the MTA. The Washington state-headquartered company sells reward programs to businesses that are used to incentivize purchases by their customers, reward customer loyalty, and reward employee performance. The opinion letter does not address closed loop gift cards and open loop gift cards, as DFPI previously issued an opinion letter regarding these products on February 19, 2020, nor does it address a yet-to-be introduced reward program that deposits cash into a recipient’s account or provides credit to a specified credit card as the company already acknowledges that this service constitutes regulated activity under the MTA. 

However, the opinion letter does address circumstances when an NPO donation is selected by a recipient from the company’s reward options. In this instance, the reward amount is transferred from the company’s operating account to its custodial bank account designated “For the Benefit Of Customers” held at a national bank. The company then “aggregates contributions to each NPO and distributes these amounts, less its 8% administrative fee, directly to the NPOs on a weekly basis.” According to the company, “[f]unds do not move out of the NPO Account until these payments are made and the NPO Account is not used for any purposes other than NPO Donations.” DFPI concluded that the company’s current NPO agreement satisfies the agent of payee requirements for exemption from the MTA, and that as such, NPO donations are not a regulated activity. Specifically, the company’s NPO agreement provides that the company is appointed as the NPO’s agent and is obligated to remit all funds collected on the NPO’s behalf to the NPO. Receipt of the funds from the company’s client “constitutes receipt by the NPO, even if the NPO does not receive the funds from [the client].” The company, and not the client or recipient, is solely responsible to the NPO, DFPI said, adding that “[c]lient funds temporarily being held in [the company’s bank] operating account in prepayment for closed loop gift cards, bank-issued open loop gift cards, and NPO donations are not stored value.”

Licensing State Issues DFPI Nonprofit California Money Transmission Act California State Regulators

Louisiana proposes virtual currency business licensing rules

On June 20, the Louisiana Office of Financial Institutions (OFI) published proposed rules in the Louisiana Register to implement the Louisiana Virtual Currency Business Act (VCBA), which governs the licensing process for businesses or individuals who are currently operating, or intend to soon begin operating, a virtual currency business in the state. As previously covered by InfoBytes, the Act (HB 701), which took effect August 1, 2020, provides for the licensing and regulation of virtual currency businesses in the state. Subject to certain exceptions, the bill establishes licensing and registration requirements, and, among other things, (i) authorizes reciprocity of licensure with other states; (ii) specifies that licensee applications must be submitted through the Nationwide Multi-State Licensing System; (iii) adds provisions related to licensee examinations; (iv) outlines licensee surety bond requirements “based on the nature and extent of risks in the applicant’s virtual currency business model”; (v) provides the state’s office of financial institutions with enforcement authority; and (vi) prohibits licensees from engaging in unfair, deceptive, or fraudulent practices. 

The proposed rules are intended to enable OFI to achieve its regulatory goals and supervision and oversight of such persons included within the scope of the VCBA in an efficient, effective manner. OFI also proposes to implement a fee structure to cover regulatory and supervisory costs in order for the agency to effectively ensure compliance with the VCBA, and allow for licensure and registration of covered persons. Among other things, the proposed rules:

• Outline various definitions, including terms related to control, net worth, unfair or deceptive acts or practices, and unfair or unsound acts or practices.
• Describe processes for the approval of a control person or approval of a change in control; licensing renewal or registration notice; determination of net worth; examination and investigation procedures; and requirements for reporting, recordkeeping, and implementation of policies and procedures.
• Stipulate that “failure to provide any disclosure or disclosures required by Subsection 1931(C) of this rule shall be an unfair or deceptive act or practice for purposes of taking enforcement action against a licensee, registrant, or person that is neither a licensee nor registrant but is engaging in virtual currency business activity or activities.” While the proposed rules do not specifically identify the required disclosures, they state that the “commissioner shall also determine, by policy, the time and form required for such disclosures. Disclosures required by this section must be made separately from any other information provided by the licensee to a person and in a clear and conspicuous manner. A licensee may propose, for the commissioner’s approval, alternate disclosures as deemed more appropriate for its virtual currency business activity with, or on behalf of, persons in Louisiana.”
• Clarify that an unsafe or unsound act or practice includes engaging in an activity “which creates the likelihood of material loss, insolvency, dissipation of the licensee’s or registrant’s assets, materially prejudices the interests of its customers, and any other set of facts and circumstances, as determined by the commissioner in his discretion.”
• Allow the commissioner to assess a civil penalty for violations of the VCBA (or any rule promulgated pursuant to the VCBA or an commissioner-issued orders) not to exceed $1,000 for each violation.

The proposed rules provide that “[n]oncompliance with any provisions of the VCBA, including but not limited to any provisions pertaining to ownership, control, security, net worth, registration, or failure to pay any fee may likewise be considered in determining whether to deny issuance or renewal of a license or notice of registration.” Once the rules are implemented, any person already engaged in virtual currency business activity or activities in the state must either apply for a license or file a notice of registration, and submit a completed application within 90 days of the effective date. Persons engaged in virtual currency business activity that fail to submit a completed licensing application or notice of registration within 90 days of the effective date of the rules shall be deemed to be conducting unlicensed or unregistered virtual currency business activity or activities and will be subject to civil and criminal penalties. Starting November 1, 2023, “all applications for renewal for all licenses and notices of registration to engage in virtual currency business activities shall begin submitting an application or notice of registration for renewal on the first day of November of each calendar year.”

Comments on the proposed rules are due July 10.

Licensing Digital Assets State Issues State Regulators Louisiana Virtual Currency Agency Rule-Making & Guidance

N.J. appeals court says debt collector may file suit during the pandemic

On June 29, the Superior Court of New Jersey, Appellate Division affirmed a lower court’s granting of summary judgment in favor of a plaintiff debt collector in an action over whether a suit could be filed during the Covid-19 pandemic despite a clause in an agreement with the original creditor that barred collection actions in a disaster area. According to the opinion, the plaintiff purchased a portfolio of debts, including two credit card debts owned by the individual defendant. The plaintiff sued the defendant after attempts to collect on the debts were unsuccessful. The defendant filed a third-party complaint against the plaintiff asserting counterclaims accusing the plaintiff of violating the FDCPA, and stating that collection agencies were barred by an executive order that allegedly prohibited the initiation and adjudication of debt collection matters during the pandemic. A lower court granted the plaintiff’s motion for summary judgment, after finding no genuine issue of material fact which would prevent summary judgment in favor of the plaintiff. Specifically, the lower court “found that plaintiff provided sufficient, credible evidence in the record that established the nexus between the accounts and defendant,” and “also found the executive order and FDCPA argument meritless,” as “no directive existed that prevented agencies from initiating debt collection matters during the COVID-19 pandemic.” The defendant appealed.

On appeal, the defendant argued, among other things, that the lower court had “improperly relied on inadmissible hearsay documents” and erred in finding the executive order and FDCPA inapplicable. The defendant referred to a clause in an agreement she had with the original creditor, which said: “Without limiting the foregoing, [plaintiff] further represents and warrants that it shall: . . . (x) upon declaration by [the Federal Emergency Management Agency] or any appropriate local, state or federal agency that a location is a disaster area, [plaintiff] agrees to temporarily suspend its collection activities within said area until such time as is reasonable and practicable.” The appeals court agreed with the lower court’s reasoning, and called the defendant’s argument “baseless.” According to the appeals court, the defendant “failed to present evidence that an executive order prohibited the commencement and adjudication of debt collection matters during a state emergency related to the COVID-19 pandemic” and failed to establish “that there is a contractual bar to plaintiff filing a debt collection suit in a disaster area.”

Courts State Issues Debt Collection FDCPA Consumer Finance Covid-19 Appellate New Jersey

8th Circuit says bank is entitled to proceeds from condo sale

On June 24, the U.S. Court of Appeals for the Eighth Circuit affirmed a trial court’s decision that a plaintiff bank is entitled to the proceeds from the sale of a condominium despite the defendant’s ex-husband’s bankruptcy and an outstanding balance owed to the bank on a business loan. When the defendant signed and initialed a mortgage securing the financing of a condominium, she consented to her ex-husband’s execution of the note but was not a signatory. The mortgage contained three provisions, including (i) a choice-of-law provision specifying that Iowa law governed the mortgage; (ii) a homestead waiver, in which the defendant and her ex-husband “waive[d] all appraisement and homestead exemption rights relating to” the condominium, except as prohibited by law; and (iii) a future advances clause or “dragnet clause,” which granted the plaintiff a security interest in the mortgage that covered future funds the ex-husband may borrow. The plaintiff initiated litigation against the defendant seeking a declaratory judgment that the defendant’s portion of the escrowed sale proceeds was subject to the mortgage’s future advances clause, and that the plaintiff could apply the proceeds to her ex-husband’s business loan. The trial court concluded that the bank was entitled to the proceeds.

On appeal, the 8th Circuit concluded that the mortgage’s future advances clause encompassed and secured the defendant’s ex-husband's business loan. Among other things, the appellate court rejected the defendant’s arguments that (i) the plaintiff failed to make a prima facie case that it was entitled to the condo sale proceeds because it purportedly “did not prove the proceeds comported with the mortgage’s maximum obligation limit clause (finding “no miscarriage of justice in declining to analyze her claim”); and (ii) the mortgage forced “her to waive her homestead rights in contravention of public policy” and in violation of the FTC’s “unfair credit practices” regulation (16 C.F.R. § 444.2)—a regulation, the appellate court pointed out, that does not apply to “banks” by its own terms. The 8th Circuit also rejected defendant’s unconscionability claim under Iowa law, stating that the “doctrine of unconscionability does not exist to rescue parties from bad bargains.” The appellate court further rejected the defendant’s other “equitable arguments” as “untenable” primarily because the mortgage is a “credit agreement” regulated under Iowa Code § 535.17(5)(c), and that statute expressly displaces equitable remedies.

Courts State Issues Iowa Appellate Eighth Circuit Bankruptcy Mortgages Consumer Finance

District Court preliminarily approves $3.7 million data breach settlement

On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.

Privacy/Cyber Risk & Data Security Courts State Issues Class Action Data Breach California Settlement

New York fines supermarket chain $400,000 for mishandled consumer data

On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access. The compromised data included customer account usernames and passwords, as well as customer names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers. According to the assurance of discontinuance, a security researcher informed the respondent in 2021 that one of the cloud storage containers was misconfigured from its creation in January 2018 until April 2021, potentially exposing customers’ personal information. A second misconfigured container was identified in May 2021 that had been publicly accessible since November 2018, the AG said, noting that the respondent “immediately reviewed its cloud environment and identified the container, which had a database backup file with over three million records of customer email addresses and account passwords.” The AG asserted that the respondent also “failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.” Nor did the retailer maintain long-term logs of its cloud assets, thus making it difficult to security incidents, the AG said.

The terms of the settlement require the respondent to pay $400,000 in penalties to the state. The respondent has also agreed to (i) maintain a comprehensive information security program, including reporting security risks to the company's leadership; (ii) establish practices and policies to maintain an inventory of all cloud assets and to ensure all cloud assets containing personal information have appropriate measures to limit access; (iii) develop a penetration testing program and implement centralized logging and monitoring of cloud asset activity; (iv) establish appropriate password policies and procedures for customer accounts; (v) maintain a reasonable vulnerability disclosure program to enable third parties to disclose vulnerabilities; (vi) establish appropriate practices for customer account management and authentication; and (vii) update its data collection and retention practices to ensure it only collects customers’ personal information when there is a reasonable business purpose for the collection and permanently deletes all personal information collected before the agreement for which no reasonable purpose exists.

Privacy/Cyber Risk & Data Security State Issues New York Settlement State Attorney General Consumer Protection