Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $894,111 settlement with a New York-based telecommunications systems and software company for four apparent violations of the Sudanese Sanctions Regulations (SSR). According to OFAC’s web notice, between June 2014 and October 2015, the company—through its wholly owned subsidiary—allegedly “indirectly exported warrantied satellite equipment and facilitated services and training to a government-owned entity in Sudan” in apparent violation of the SSR. Among other things, OFAC noted that the company and its subsidiary knew that the end-user of the equipment and services was the Sudan Civil Aviation Authority (SCAA), but the companies still organized the shipment of equipment through a Canadian company despite receiving multiple warnings about OFAC’s export restrictions for Sudan. Once it became known that the SCAA was the ultimate end-user, OFAC contended that the subsidiary’s former Director of Logistics and Export Compliance Official allegedly “attempted to transfer OFAC compliance obligations from [the subsidiary] to the Canadian [c]ompany.” Additionally, OFAC denied the subsidiary’s license application to provide certain warranty services.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the subsidiary “demonstrated reckless disregard for U.S. sanctions requirements and failed to exercise a minimal degree of caution or care by approving warranty services for equipment provided to SCAA while an OFAC license was still pending”; (ii) the subsidiary did not heed warning signs indicating the transactions could have led to the apparent violations; and (iii) the subsidiary’s explanations in response to OFAC subpoenas and a request for information were inconsistent, which required OFAC expending “significant additional time and resources” building an accurate record of the apparent violations. OFAC also considered that it had not issued a violation against the company or its subsidiary in the five years preceding the earliest transaction at issue.
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
On September 17, the U.S. Court of Appeals for the Eleventh Circuit reversed and vacated a district court judgment awarding an “incentive payment” to a TCPA class action representative, concluding it violates a U.S. Supreme Court decision prohibiting such awards. Additionally, the 11th Circuit remanded the case so that the district court could adequately explain its findings on the fees and costs issues. According to the opinion, a consumer initiated a TCPA class action against a collection agency for allegedly calling phone numbers that had originally belonged to consenting debtors but were subsequently reassigned to non-debtors. The action quickly moved to settlement and one class member objected, challenging “the district court’s decision to set the objection deadline before the deadline for class counsel to file their attorneys’-fee petition.” Additionally, among other things, the objector argued that the proposed $6,000 incentive award to the class action representative violates the 1880s Supreme Court decisions in Trustees v. Greenough and Central Railroad & Banking Co. v. Pettus. The district court overruled the class member’s objections.
On appeal, the 11th Circuit concluded that the district court “repeated several errors” that “have become commonplace in everyday class-action practice.” Specifically, the appellate court held that the district court “violated the plain terms of Federal Rule of Civil Procedure 23(h)” by setting the settlement objection date more than two weeks before the date class counsel had to file their attorneys’ fee petition. The appellate court also concluded that the district court violated the Supreme Court’s rule from Greenough and Pettus, which provides that “[a] plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The 11th Circuit noted that modern day incentive awards pose even more risks than the concerns from Greenough, promoting “litigation by providing a prize to be won.” Thus, according to the appellate court, although incentive awards may be “commonplace” in class action litigation, they are not lawful and therefore, the district court’s decision must be reversed.
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
On September 15, the CFPB filed a complaint and proposed stipulated judgment against a trust, along with three banks acting in their capacity as trustees to the trust, for allegedly providing substantial assistance to a now defunct for-profit educational institution in engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The Bureau asserted that the trust owned and managed private loans for students attending the defunct institution, even though the trust “allegedly knew or was reckless in not knowing that many student borrowers did not understand the terms and conditions of those loans, could not afford them, or in some cases did not even know they had them.” The Bureau alleged that the defunct institution induced students to take out loans through several unfair practices, including “using aggressive tactics, and in some cases, gaining unauthorized access to student accounts to sign students up for loans without permission.” These loans, the Bureau contended, carried default rates well above what was expected for student loans. According to the Bureau, the trust was allegedly actively involved in the servicing, managing, and collection of these student loans.
If approved by the court, the Bureau’s proposed settlement would require the trust to (i) cease collection efforts on all outstanding loans owned and managed by the trust; (ii) discharge all outstanding loans owned and managed by the trust; (iii) ask all consumer reporting agencies to delete information related to the trust’s loans; and (iv) notify all affected consumers of these actions. The Bureau estimated that the total amount of loan forgiveness is roughly $330 million.
This settlement is the third reached by the Bureau in relation to the defunct institution’s private loan programs. In 2019, the defunct institution reached a settlement with the Bureau (covered by InfoBytes here), which required the payment of a $60 million judgment. Additionally, the Bureau entered into another settlement in 2019 with a different company that managed student loans for the defunct institution’s students, which required the loan management company to comply with similar requirements as the trust (covered by InfoBytes here).
On September 11, the U.S. Court of Appeals for the Ninth Circuit, in a split decision, upheld the district court order requiring a publisher and conference organizer and his three companies (defendants) to pay more than $50.1 million to resolve allegations that the defendants made deceptive claims about the nature of their scientific conferences and online journals and failed to adequately disclose publication fees in violation of the FTC Act. As previously covered by InfoBytes, in an action filed in the U.S. District Court for the District of Nevada, the FTC alleged the defendants misrepresented that their online academic journals underwent rigorous peer reviews; instead, according to the FTC, the defendants did not conduct or follow the scholarly journal industry’s standard review practices and often provided no edits to submitted materials. Additionally, the FTC alleged that the defendants failed to disclose material fees for publishing authors’ work when soliciting authors and that the defendants falsely advertised the attendance and participation of various prominent academics and researchers at conferences without their permission or actual affiliation. The district court agreed with the FTC and, among other things, ordered the defendants to pay more than $50.1 million in consumer redress.
On appeal, the split 9th Circuit agreed with the district court, concluding that the defendants violated the FTC Act, noting that the despite the “overwhelming evidence against them,” the defendants “made only general denials” and did not “create any genuine disputes of material fact as to their liability.” The appellate court emphasized that the misrepresentations made by the defendants were “material” and “did in fact, deceive ordinary customers.” Moreover, among other things, the appellate court held that the defendants failed to meet their burden to show that the FTC “overstated the amount of their unjust gains by including all conference-related revenue.” Specifically, the appellate court determined that conferences were “part of a single scheme of deceptive business practices,” even though the conferences were individual, discrete events. Because the marketing was “widely disseminated,” the court determined that the FTC was entitled to a rebuttable presumption that “all conference consumers were deceived.”
In partial dissent, a judge asserted the FTC “did not reasonably approximate unjust gains” by including all conference-related revenue, because “the FTC’s own evidence indicates that only approximately 60% of the conferences were deceptively marketed.” Thus, according to the dissent, the case should have been remanded to the district court to determine whether the FTC can meet its initial burden.
On September 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced two settlements totaling $583,100 with the U.S.-based subsidiary of a global financial institution for apparent violations of the Ukraine-Related Sanctions Regulations. According to OFAC, the financial institution allegedly agreed to process a funds transfer exceeding $28 million through the U.S. related to a series of purchases of fuel oil involving a property interest of an oil company in Cyprus that was previously designated by OFAC. OFAC alleged that at the time the payment was processed, the bank “had reason to know of the designated oil company’s potential interest, but did not conduct sufficient due diligence to determine whether the designated oil company’s interest in the payment had been extinguished.” The bank agreed to pay $157,500 to resolve the apparent violation.
Additionally, OFAC stated the bank also agreed to separately remit $425,600 for apparent violations stemming from the processing of 61 transactions “destined for accounts at a designated financial institution.” The bank allegedly failed to stop these payments because its sanctions screening tool did not include a specific business identifier code assigned to the designated financial institution, OFAC claimed, and its screening tool “was calibrated so that only an exact match to a designated entity would trigger further manual review.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the apparent violations were non-egregious; (ii) the bank had in place “an OFAC compliance program at the time of the apparent violations”; and (iii) the bank has undertaken remedial efforts to address the deficiencies, including reviewing the circumstances of the apparent violations with its U.S. sanctions compliance unit, and agreeing to conduct additional training and implement changes to internal procedures as necessary.
OFAC also considered various aggravating factors, including that “several senior managers within the bank’s anti-financial crime division, as well as a representative from its counsel’s office, failed to exercise a minimal degree of caution or care in connection with the conduct that led to the apparent violation,” and had actual knowledge of the alleged conduct.
On August 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. If granted final approval, the settlement would resolve consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” The preliminarily approved settlement would also require the social medial company to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used.
On August 14, the U.S. District Court for the District of Oregon refused to reduce a $925 million statutory damages award against a company found to have violated the TCPA by sending almost two million unsolicited robocalls to consumers. The company argued that the statutory damages award violates due process because “it is so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.” The court rejected the company’s argument that the penalty was unconstitutionally excessive, noting that the U.S. Court of Appeals for the Ninth Circuit has not yet answered the question as to “whether due process limits the aggregate statutory damages that can be awarded in a class action lawsuit under the TCPA.” Instead, the district court concluded that the allowance for at least $500 per violation under the TCPA is constitutionally valid and that the penalty’s “large aggregate number comes from simple arithmetic.” Referencing an opinion issued by the U.S. Court of Appeals for the Seventh Circuit, the court reasoned that “[s]omeone whose maximum penalty reaches the mesosphere only because the number of violations reaches the stratosphere can’t complain about the consequences of its own extensive misconduct.” Thus, the court rejected the company’s argument that the aggregate damages award should be reduced, finding that due process does not require the reduction of the aggregate statutory award where the company violated the TCPA nearly two million times.
On August 10, the U.S. District Court for the Southern District of Florida granted final approval of a $7.5 million settlement, resolving a decade-long multidistrict litigation concerning overdraft fees. The settlement covers allegations that a U.S.-based affiliate of an international bank charged improper assessment and collection of overdraft fees due to “high-to-low posting.” In 2012, the bank was purchased by a U.S. national bank and the national bank inherited the litigation as the successor in interest. The settlement involves over 148,000 class members, “who, from October 10, 2007 through and including March 1, 2012, incurred one or more Overdraft Fees as a result of [the bank]’s High-to-Low Posting.” The $7.5 million settlement includes $10,000 to the sole class representative and over $2.6 million to the class attorneys (representing 35% of the settlement fund).
- Daniel P. Stipano to discuss "Making customers whole: Trends in remediation and restitution expectations" at the American Bar Association Business Law Virtual Section Meeting
- Jonice Gray Tucker to discuss "Fairness gone viral: Fair lending considerations for financial institutions amid Covid-19" at the American Bar Association Business Law Virtual Section Meeting
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute