Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 2, two healthcare providers settled with plaintiffs after eight years of litigation between the district court and the U.S. Court of Appeals for the 6th Circuit, stemming from alleged violations of the FDCPA, breach of contract, and violations of the Ohio Consumer Sales Practices Act, among other things. According to the order, the defendants allegedly contacted plaintiffs and their legal counsel, requesting that their legal counsel sign a letter to forego any legal settlement or judgment against the defendants to prevent plaintiffs’ accounts from being sent to collections, despite having plaintiffs’ health insurance information. While the defendants deny any fault, wrongdoing, or liability in connection with the claims, the parties agreed to a settlement amount of $3.5 million, with each claimant receiving a cash payment of $25. The class is comprised of 12,000 individuals with health insurance plans accepted by the healthcare provider who were patients at an Ohio facility from 2009 to 2023, and subsequently made payments or were asked to make payments for their treatment, excluding co-pays or deductibles. Additionally, certain class members will also receive a cash payment equal to fifty percent of the amount paid to the healthcare provider.
On November 3, the FTC filed suit against a fintech firm within the U.S. Southern District Court of New York. The FTC alleged the fintech mobile app misled customers, “violated Section 5 of the FTC Act[,] and made it hard to cancel services in violation of the Restore Online Shoppers’ Confidence Act (ROSCA).” However, the FTC and Defendant stipulated the entry of a proposed settlement order that includes a monetary judgment of $18 million for consumer refunds and requires Defendant to stop its deceptive marketing practices and end tactics that prevented customers from canceling services. The first time the FTC had collected civil penalties under ROSCA was in January 2023, as covered by InfoBytes here.
The FTC’s complaint alleges that consumers were deceived into signing up for a $250 cash advance, but many users were unable to receive any money at all. Furthermore, consumers had to have first entered a $9.99 monthly membership––regardless of whether they qualified for the $250 or not. Further, if a user wished to cancel their monthly membership, the fintech firm employed “dark” and manipulative design tricks to “create a confusing and misleading cancellation process that prevented consumers from canceling their subscriptions.” The FTC’s proposed settlement order must first be approved by a federal judge before it can go into effect.
On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.
On October 16, a national payment processor entered into two settlement agreements totaling $20 million with 44 state and territory money transmission regulators and 50 state and territory attorneys general to resolve issues stemming from alleged erroneous payment transactions. The alleged erroneous payments involved the mistaken initiation of payments on behalf of almost 480,000 mortgage borrowers, with the total amount at issue totaling nearly $2.4 billion.
According to the settlement entered into between the payment processor and the money transmission regulators, who were working through the Multi-State Money Service Business Examination Taskforce, the mistaken payments resulted from a breakdown of internal data security controls that allowed customer data intended for use in the testing of processing code to trigger actual payments. The payment processor, who regularly provided payment processing services to a large residential mortgage lending and servicing company, was using actual customer mortgage payment data for test purposes. As alleged in the settlement, it was determined that in the process of conducting testing on processing code to optimize the payment processors’ payment platform, more than 1.4 million payment entries were unintentionally and erroneously processed. This erroneous payment processing was said to be primarily the result of “circumvention of internal data security controls and a lack of segregation between internal production and testing environments.”
The settlement reached with the money transmission regulators requires the payment processor to maintain a comprehensive risk and compliance program and to provide regular reporting to a state regulator monitoring committee to ensure the adequacy of its risk management programs.
Under the terms of the settlement with the money transmission regulators, the payment processor is required to pay a total of $10 million, with approximately $9.5 million of that total being shared evenly by each participating state, with the remaining roughly $500,000 being used to cover the administrative costs of the investigating states. Under the agreement with the state attorneys general, the payment processor is required to pay an additional $10 million to the various participating states and territories. These amounts are in addition to the $25 million fine previously agreed to in the CFPB Consent Order, bringing the total amount to be paid by the payment processor to $45 million.
On October 12, the FTC announced it has reached a settlement with a bankrupt crypto company, which will permanently ban the company from managing consumer assets. According to the federal court complaint, the FTC alleged that from at least 2018, respondent attracted customers by promising their deposits would be secure, but when the company failed, consumers lost access to significant assets, resulting in over $1 billion in cryptocurrency asset losses. The FTC alleges violations of the FTC Act and the Gramm-Leach-Bliley Act's prohibition on obtaining financial information through false statements. Respondent allegedly misled consumers by claiming their assets were safe on the platform, stating that "YOUR USD IS FDIC INSURED." However, respondent is not a bank and the deposits were not eligible for FDIC insurance. The FTC complaint also alleged that the FDIC does not insure cryptocurrency assets, and consumers' cash deposits were placed in an account held by respondent at a traditional bank. Consumers' funds were protected only if that bank failed, but their cryptocurrency was not protected at all.
The proposed settlement with respondent and its affiliates permanently bans them from offering, marketing, or promoting any product or service related to depositing, exchanging, investing, or withdrawing assets. Respondent and its affiliates have agreed to a judgment of $1.65 billion, which will be suspended to allow the bankrupt company to return its remaining assets to consumers through bankruptcy proceedings. The proposed settlement also prohibits respondent and its affiliates from managing consumer assets, misrepresenting product benefits, making false representations to obtain financial information, and disclosing nonpublic personal information without consent.
The FTC also announced that it is filing a lawsuit against the respondent’s CEO for making false claims that consumer accounts were FDIC-insured. Respondent’s CEO has not agreed to a settlement, and the FTC's case against him will proceed in federal court. “In a parallel action, on October 12, the Commodity Futures Trading Commission separately charged [respondent’s CEO] with fraud and registration failures,” the FTC added.
On October 11, an automotive management company settled claims by the Department of Justice alleging that the company had violated the False Claims Act by knowingly providing false information in support of its Paycheck Protection Program (PPP) loan forgiveness application.
According to the DOJ’s allegations, the automotive management company certified it was a small business with fewer than 500 employees when in fact it shared common operational control with dozens of automobile dealerships with more than 3,000 employees in total.
On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.
The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.
Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.
On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.
On September 27, the DOJ announced a $9 million settlement agreement with a Rhode Island-based community bank to resolve allegations that the bank engaged in a pattern or practice of lending discrimination by engaging in “redlining” in Rhode Island. The DOJ’s complaint claimed that from 2016 to at least 2021, the bank failed to provide mortgage lending services in majority-Black and Hispanic neighborhoods in Rhode Island. The DOJ also alleged that all of the bank’s branches were concentrated in majority-white neighborhoods, and that the bank did not take meaningful measures to compensate for not having a physical presence in majority-Black and Hispanic communities.
Under the proposed consent order, the bank will, among other things, (i) invest at least $7 million in a loan subsidy fund for majority-Black and Hispanic neighborhoods in Rhode Island to increase access to credit for home mortgage, improvement, and refinance loans, and home equity loans and lines of credit; (ii) invest $1 million towards outreach, advertising, consumer financial education, and credit counseling initiatives; (iii) invest $1 million in developing community partnerships to expand access to residential mortgage credit for Black and Hispanic consumers; (iv) establish two new branches, ensure at least two mortgage loan officers, and employ a “Director of Community Lending” in majority-Black and Hispanic neighborhoods in Rhode Island; (v) conduct a community credit needs assessment; and (vi) produce a fair lending status report and compliance plan and conduct fair lending training. The announcement cited the bank’s cooperation with the DOJ to remedy the identified redlining concerns.
On September 25, the SEC announced two enforcement actions against a subsidiary (respondent) of a German multinational investment bank and financial services company, in which the respondent agreed to pay a total of $25 million in penalties arising from (i) purportedly misleading statements respondent made regarding its Environmental, Social, and Governance (ESG) program; and (ii) its failure to develop a mutual fund Anti-Money Laundering (AML) program. According to the order, respondent allegedly marketed itself to clients and investors as a leader in ESG that adhered to specific policies for integrating ESG considerations into its investments but failed to implement certain provisions of its global ESG integration policy. The order contains a number of statements that respondent made concerning its ESG program that the SEC found to be materially misleading. For example, respondent allegedly represented through its ESG Policy that its research analysts were required to include financially material and reputation relevant ESG aspects into its valuation models, investment recommendations and research reports and consider material ESG aspects as part of their investment decision, but respondent’s internal analyses allegedly showed that research analysts have inconsistent levels of documented compliance with this requirement. The SEC determined that respondent’s failure to implement certain policies and procedures violated multiple sections of the Advisers Act, including Section 206(2), “which prohibits an investment adviser, directly or indirectly, from engaging ‘in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.’”
Through the ESG order, respondent has agreed to pay a $19 million civil penalty and to cease and desist from committing any further violations of the violated sections of the Advisors Act. The SEC also charged respondent with a separate Anti-Money Laundering order, for failure to comply with the Bank Secrecy Act and FinCen regulations. Respondent did not admit nor deny the SEC’s claims.