InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California governor signs legislation on debt collection
On October 4, the California governor signed SB 531, which requires debt collectors to provide more information to consumers when assigned to collect a debt. Among other things, the bill: (i) expands the standards to allow Californians to verify a collector’s authority; (ii) bans creditors from selling the debt without first giving the debtor 30-day notice; (iii) requires debt buyers to provide a written statement to the debtor upon request; and (iv) prohibits, in certain circumstances, a debt collector from making a written statement to a debtor in an attempt to collect a delinquent consumer debt. The law is effective starting July 1, 2022.
District Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
District Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
Soltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
Massachusetts highlights UDAP risks of representment fees
On September 23, the Massachusetts Office of Consumer Affairs and Business Regulation, Division of Banks, issued a supervisory alert reminding financial institutions to clearly disclose representment non-sufficient funds (NSF) fees connected to deposit accounts to avoid consumer confusion as well as potential legal and regulatory risks. The alert explains that a representment NSF fee may occur when a financial institution presents the same transaction again, in an attempt to obtain declined funds. According to the alert, a “repeated merchant payment transaction can trigger the assessment of multiple NSF fees by a depository institution if the transaction is presented more than once,” causing some financial institutions to charge the consumer an NSF fee for both the original presentment as well as for each subsequent representment. The alert discusses consumer protection risks associated with the representment of NSF fees, including recent class action lawsuits for breach of contract, some of which have resulted in customer reimbursements and legal fees. Additionally, the alert highlights issues with standard industry deposit account agreements and fee schedules supplied by payment processing software vendors to financial institutions, which may not adequately explain an institution’s actual NSF fee practices as disclosed to customers. While certain disclosures and account agreements may indicate that one NSF fee will be charged “per item” or “per transaction,” these forms may not sufficiently explain that the same processed transaction may trigger multiple NSF fees. The alert reminds financial institutions charging representment fees that they risk violating state and federal UDAP law if their relevant account disclosures and agreements are not in compliance, and urges financial institutions to review deposit disclosures and contract language to ensure NSF fees are clearly and consistently communicated to consumers.
CSBS responds to regulators’ request on emerging technologies
On September 27, the Conference of State Bank Supervisors (CSBS) sent a letter to Ranking Member of the Senate Banking Committee Senator Pat Toomey (R-PA) detailing state bank regulators’ role in supervising money transmission and virtual currencies, in addition to recommending an activities-based approach to regulation. The letter is in response to a request by Senator Toomey for input on the regulation of financial technologies earlier this year. In Senator Toomey’s August 26 letter, he requested collection of public comments on proposed legislative language, among other things, to regulate emerging technologies. The Senator also requested that each proposal have a brief description that includes “how it will encourage the growth of cryptocurrency and blockchain technology” in the U.S. According to the letter from CSBS, state bank regulators are encouraging “Congress and federal regulators to focus on the activities at issue and making clarifications in existing laws, regulations, and interpretations,” and believe that “[a]n activities-based approach must be performed with collaboration from all stakeholders or risk one regulatory view overextending into areas where it would hurt innovation and consumers.” CSBS also points out that the Money Transmission Modernization Act established a regulatory baseline and represents a critical step in enhancing multistate harmonization in the money transmission industry. CSBS further discussed Networked Supervision, a strengthened collaboration which permits states to operate as a network. According to the letter, earlier this year, CSBS approved public priorities, which highlighted efforts that states will take to advance Networked Supervision focused on money services businesses. CSBS states that these priorities “emphasize the states’ commitment to harmonization, collaboration, and innovation throughout the state regulatory system.”
District Court: Maryland escrow law does not confer private right of action
On September 22, the U.S. District Court for the District of Maryland granted a national bank’s motion for summary judgment in an action claiming the bank allegedly failed to pay interest on mortgage escrow accounts. The plaintiff filed a putative class action asserting various claims including for violation of Section 12-109 of the Maryland Consumer Protection Act (MCPA), which requires lenders to pay interest on funds maintained in escrow on behalf of borrowers. In response, the bank filed a motion to dismiss on the basis that the MCPA is preempted by the National Bank Act and by 2004 OCC preemption regulations. In 2020, the court denied the bank’s motion to dismiss after it determined, among other things, that under Dodd-Frank, national banks are required to pay interest on escrow accounts when mandated by applicable state or federal law. (Covered by InfoBytes here.) Citing previous decisions in similar escrow interest cases brought against the same bank in other states (covered by InfoBytes here and here), the court stated that Section 12-109 “does not prevent or significantly interfere with [the bank’s] exercise of its federal banking authority, because [Section] 12-109’s ‘interference’ is minimal, when compared with statutes that the Supreme Court has previously found were preempted.” The court further noted that state law—which “still allows [the bank] to require escrow accounts for its borrowers”—provides that the bank must pay a small amount of interest to borrowers if it chooses to maintain escrow accounts.
However, in its most recent ruling, the court held that the MCPA does not authorize the plaintiff to sue either. “[T]his court finds that § 12-109 does not confer a private right of action,” the court wrote, adding that the plaintiff’s breach of contract claim could not get around a notice-and-cure provision in her mortgage agreement that she had not complied with before suing. The plaintiff argued that these requirements did not apply because “her self-styled breach of contract claim is actually a statutory claim because the allegedly breached contractual provision is one which pledges general adherence to applicable law.” The court disagreed, stating that under the plaintiff’s theory “any claim for breach of contract, which also violated a federal or state law, would be vaulted to a privileged hybrid status. Such claims would enjoy an unlimited private right of action (regardless of whether the underlying statute created one) and. . .would be unbounded by any of the provisions or conditions precedent detailed in the contract itself.” The court also ruled that the plaintiff’s escrow statements, which “correctly reflected that her account was not accruing interest,” are themselves “not rendered deceptive by the mere fact that Plaintiff believes such interest is owed.”
En banc 9th Circuit: FHA does not support downstream injuries
On September 28, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision concluding that the Fair Housing Act (FHA) “is not a statute that supports proximate cause for injuries further downstream.” As previously covered by InfoBytes, the City of Oakland sued a national bank alleging violations of the FHA and the California Fair Employment and Housing Act, claiming the bank provided minority borrowers mortgage loans with less favorable terms than similarly situated non-minority borrowers, which led to disproportionate defaults and foreclosures and caused (i) decreased property tax revenue; (ii) increased city expenditures; and (iii) neutralized spending in Oakland’s fair-housing programs. In 2020, a three-judge panel affirmed both the district court’s denial of the bank’s motion to dismiss claims for decreased property tax revenue, as well as the court’s dismissal of Oakland’s claims for increased city expenditures. (Covered by InfoBytes here.) The panel further held that Oakland’s claims for injunctive and declaratory relief were also subject to the FHA’s proximate-cause requirement and, on remand, the district court must determine whether Oakland’s allegations satisfied this requirement. The bank filed a petition for panel rehearing and rehearing en banc last year arguing, among other things, that the panel had “fashioned a looser, FHA-specific proximate-cause standard” in conflict with the U.S. Supreme Court’s decision in Bank of America Corp. v. City of Miami. As covered by a Buckley Special Alert, in 2017, the Supreme Court held that municipal plaintiffs may be “aggrieved persons” authorized to bring suit under the FHA against lenders for injuries allegedly flowing from discriminatory lending practices, but that such injuries must be proximately caused by, rather than simply the foreseeable result of, the alleged misconduct.
The 9th Circuit agreed with the bank and remanded the case for dismissal of the FHA claims and proceedings consistent with the opinion. Citing the Miami decision as one of the leading factors, the panel stated that “[w]e begin where Miami began, with ‘[t]he general tendency. . .not to go beyond the first step,’” adding that “[t]here is no question that Oakland’s theory of harm goes beyond the first step—the harm to minority borrowers who receive predatory loans. Oakland’s theory of harm runs far beyond that—to depressed housing values, and ultimately to reduced tax revenue and increased municipal expenditures. Oakland thus fails a strict application of the general tendency not to stretch proximate causation beyond the first step.” The panel also affirmed the district court’s decision that Oakland failed to sufficiently plead claims related to increased municipal expenditures and reversed the district court’s denial of the bank’s motion to dismiss claims for lost property tax revenue and injunctive and declaratory relief.
Colorado reaches agreement with financial institution to refund $1.68 million in unused GAP fees
On September 27, the Colorado attorney general announced that a financial institution has agreed to refund approximately $1.68 million to Colorado borrowers after allegedly failing to return guaranteed automobile protection (GAP) fees that were improperly retained by the financial institution. Under Colorado law, lenders are required to automatically refund borrowers any unearned GAP payments if a borrower prepays a loan prior to maturity or a vehicle is repossessed before the loan is paid off. Under the terms of the assurance of discontinuance, the financial institution (without admitting or denying liability) has agreed to comply with all legal obligations and issue refunds to affected borrowers. The financial institution will also pay $75,000 to the AG as reimbursement for costs. The AG noted that the financial institution voluntarily provided information concerning GAP payments to Colorado borrowers, fully cooperated in good faith, and has “committed to a robust oversight system to ensure” future compliance. The AG also noted that a separate credit union is currently determining the amount of GAP refunds it owes to consumers.
District Court says bank must face reopened accounts allegations
On September 27, the U.S. District Court for the District of New Jersey granted in part and denied in part a national bank’s motion to dismiss a putative class action concerning allegations that the bank opened and reopened accounts without notifying customers. The plaintiffs alleged that they discovered the bank reopened closed accounts after receiving tax refunds and a one-off refund from a retailer. According to the plaintiffs, the bank accepted deposits into the reopened accounts and then allegedly collected funds from the accounts, resulting in unanticipated fees.
The court issued an opinion, calling it an issue of first impression within the Third Circuit, finding that “account numbers, whether new or old, which identified or provided access to the disputed accounts opened in Plaintiffs’ names each qualified as a ‘card, code, or other means of access’ to those accounts” under [EFTA] § 1693i(a).” Since the opening of an account “necessarily must be accompanied with an account number associated with that account,” the court found that the plaintiffs sufficiently stated a claim that the bank violated § 1693i(a). Among other things, the court disagreed with the bank’s argument that it could not “have been unjustly enriched by assessing [the plaintiff] fees in exchange for her acceptance of the services [the bank] provides,” stating that the bank’s argument “either misunderstands or purposefully misconstrues the basis” for the plaintiff’s claim, which was that the bank “opened the account in her name without her permission, and therefore did not have a contractual basis for assessing such fees associated with maintaining that account[.]” The court also allowed the plaintiffs’ unjust enrichment claim and Massachusetts Consumer Protection Act claim to proceed. While the court provided the plaintiffs the opportunity to file an amended complaint to revive their dismissed breach of contract claims, their FCRA allegations were dismissed with prejudice.