Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 25, the CFPB announced a settlement with two companies that originated and serviced travel-related loans for military servicemembers and their families. According to the consent order with the lender and its principal, the lender (i) charged fees to customers who obtained financing, at a higher rate than those customers who paid in full, but failed to include the fee in the finance charge or APR; (ii) falsely quoted low monthly interest rates to customers over the phone; and (iii) failed to provide the required information about the terms of credit and the total of payments in violation of TILA and the TSR. The consent order prohibits future lending targeted to military consumers and requires the lender and its principal to pay a civil money penalty of $1. The order also imposes a suspended judgment of almost $3.5 million, based on an inability to pay.
In its consent order against the servicer, the Bureau asserts the servicer engaged in deceptive practices by overcharging servicemembers for debt-cancellation products and, in violation of the FCRA’s implementing Regulation V, never established or maintained written policies and procedures regarding the accuracy of information furnished to credit reporting agencies. The consent order issues injunctive relief and requires the servicer to (i) pay a $25,000 civil money penalty; (ii) provide redress to consumers who were allegedly overcharged for the debt-cancellation product; (iii) pay over $54,000 in restitution to borrowers with no outstanding balance on their loans and issue additional account credits to borrowers with outstanding balances; and (iv) establish reasonable policies and procedures for accurate reporting to consumer reporting agencies.
On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.
On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
On November 6, the CFPB filed an amicus brief with the Court of Appeals of Maryland in a case challenging a private class action settlement against a structured settlement company, which purports to “release the Bureau’s claims in a pending federal action, to enjoin class members from receiving benefits from the Bureau’s lawsuit, and to assign any benefits the Bureau might obtain for class members to the class-action defendants.” As previously covered by InfoBytes, in 2017, the U.S. District Court for the District of Maryland allowed a UDAAP claim brought by the CFPB to move forward against the same structured settlement company, where the Bureau alleged the company employed abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. A similar action was also brought by the Maryland attorney general against the company. In addition to the state and federal enforcement actions, the plaintiffs filed a private class action against the company, and a trial court approved a settlement. The Court of Special Appeals reversed the lower court’s approval of the settlement, concluding that it “interferes with the [state’s] and Bureau’s enforcement authority.” The company appealed.
In its brief to the Maryland Court of Appeals, the Bureau argues that the Court of Special Appeals decision should be affirmed because the settlement provisions “threaten to interfere with the Bureau’s authority under the [Consumer Financial Protection Act] in two significant ways.” Specifically, the Bureau argues that the settlement (i) could interfere with the Bureau’s statutory mandate to remediate consumers harmed through the Civil Penalty Fund; and (ii) would interfere with the Bureau’s authority to use restitution to remediate consumer harm. The Bureau states that “the risk of windfalls to such wrongdoers could force the Bureau to decline to award Fund payments to victims,” and would “threaten to offend basic principles of equity.”
On November 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $210,600 civil settlement with a U.S. aviation investment company to resolve 12 alleged violations of the Sudanese Sanctions Regulations (SSR), which prohibit U.S. persons from dealing in property and interests in property of the Government of Sudan. The settlement addressed allegations that the company leased three aircraft engines to a United Arab Emirates-incorporated entity, which then subleased the engines to a Ukrainian airline that had the engines installed on an aircraft that was “wet leased” to a Sudanese airline. According to OFAC, the company violated SSR regulations because OFAC’s List of Specially Designated Nationals and Blocked Persons identified the Sudanese airline as meeting the definition of “Government of Sudan” at the time of the alleged transactions.
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) company personnel were not aware of the conduct leading to the alleged violations; (ii) OFAC has not issued a violation against the company in the five years preceding the earliest date of the transactions at issue; and (iii) the company cooperated with the investigation. OFAC also noted that the company undertook several remedial measures in response to the alleged violations, including implementing additional compliance processes such as improving its “Know-Your-Customer screen procedures” and employee training, and obtaining “U.S. law export compliance certificates from lessees and sublessees.”
OFAC also considered various aggravating factors, including that the violations harmed U.S. sanctions program objectives, and that the company failed to properly monitor the precise whereabouts of the engines during the life of the leases.
On October 28, the U.S. District Court for the Northern District of Illinois granted final approval of a $12.5 million TCPA class action settlement between a group of consumers and three cruise lines and their marketing group (collectively, “defendants”). According to the opinion, a consumer filed the action against the defendants alleging they violated the TCPA’s prohibition of the use of an autodialer without prior consent. While the motion for class certification was pending, the parties reached an agreement-in-principle for a class-wide settlement. The settlement requires the defendants to, among other things, set up a common fund of $12.5 million to permit each claimant to “recover for up to three calls per telephone number, with a maximum value for each call set at $300.” The court noted that after deducting attorneys’ fees, other costs, and an incentive award for the principal plaintiff, the nearly 275,000 class members will be eligible to receive an average of about $22 per claim. The court noted that while $22 is “significantly below the $500 recovery available under the statute for each call… a settlement does not need to provide the class with the maximum possible damages in order to be reasonable.” The court went on to state that the settlement “still serves the purpose of punishing [the cruise lines] for their role in the controversy,” and the total settlement fund is a “deterrent to potential future defendants who might think twice about violating the TCPA in an effort to boost business.”
On October 30, the U.K. Information Commissioner’s Office (ICO) announced an agreement reached between the ICO and a social media company that resolves an investigation into the company’s alleged misuse of personal data. The company has agreed to withdraw its appeal of the £500,000 penalty issued last year under section 55A of the Data Protection Act 1998 (DPA) and settle the case without an admission of guilt. The investigation stems from a data incident affecting upwards of 87 million users worldwide that included the processing of personal data about U.K. users in the context of a U.K. establishment. According to the ICO, the company violated principles of the DPA by (i) unfairly processing personal data; and (ii) failing “to take appropriate technical and organi[z]ational measures against unauthori[z]ed or unlawful processing of personal data.” The ICO published a statement by the company’s associate general counsel in which he noted that the company has “made major changes” to its platform that significantly restricts the information accessible to app developers, and that “[p]rotecting people’s information and privacy is a top priority for [the company].”
On October 16, Maxine Waters, Chairwoman of the House Financial Services Committee, released a majority staff report titled, “Settling for Nothing: How Kraninger’s CFPB Leaves Consumers High and Dry,” which details the results of the majority’s investigation into the CFPB’s handling of consumer monetary relief in enforcement actions since Richard Cordray stepped down as director in November 2017. The report argues that, under the leadership of Acting Director Mick Mulvaney and Director Kathleen Kraninger, the Bureau’s enforcement actions “have declined in volume and failed to compensate harmed consumers adequately.” Specifically, the report states that under Cordray’s leadership, “the average enforcement action by the [Bureau] returned $59.6 million to consumers, as compared to an average $31.4 million per action under Mulvaney,” but notes that $335 million of the $345 million in consumer relief obtained during Mulvaney’s tenure resulted from one settlement with a national bank (previously covered by InfoBytes here). With respect to Director Kraninger, the report acknowledges that the pace of enforcement actions increased compared to Mulvaney; however, the Bureau ordered “only $12 million in consumer relief” during her first six months, as compared to “approximately $200 million in consumer relief” during a similar six months of Cordray’s tenure.
The report highlights specifics from the investigation into settlements announced in early 2019, which resulted in civil penalties but not consumer monetary relief. The report argues that, based on the review of the internal documents received from the Bureau, the lack of consumer relief was due to the “politicization of the [Bureau],” which “contributed to the decline in the [Bureau]’s enforcement activity” rather than the merits of the enforcement actions, notwithstanding that the internal documents reflect the assessment of certain weaknesses in the Bureau’s positions. The report attributes such politicization to the introduction of political appointee positions throughout the Bureau that oversee each of the divisions. The report concludes by urging Congress to pass the Consumers First Act (HR 1500), which, among other things, seeks to limit the number of political appointees at the Bureau.
On October 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a settlement of more than $2.7 million with a multinational corporation, on behalf of three subsidiaries, to resolve potential civil liability for 289 alleged violations of the Cuban Assets Control Regulations (CACR). The settlement resolves allegations that between December 2010 and February 2014, the subsidiaries accepted payments on 289 occasions from an entity identified on OFAC’s List of Specially Designated Nationals and Blocked Persons “for goods and services provided to a Canadian customer.” OFAC alleged that although the subsidiaries negotiated and entered into contracts with the Canadian customer—and invoices were sent to the customer—the designated entity was approved as a third-party payer and paid more than 65 percent of the total transactions. OFAC asserted that the subsidiaries failed to undertake sufficient diligence into the activities of the Canadian customer, and noted that the sanctions screening software used by the subsidiaries was set to screen for only one version of the designated entity’s name.
In arriving at the settlement amount, OFAC considered various mitigating factors including that (i) OFAC has not issued a violation against the subsidiaries in the five years preceding the earliest date of the transactions at issue; (ii) the corporation identified the alleged violations by testing and auditing its compliance program, and implemented several remedial measures in response to the alleged violations, which included improvements to its compliance program; and (iii) the corporation entered into, and agreed to extend, multiple statute of limitations tolling agreements.
OFAC also considered various aggravating factors, including that (i) the subsidiaries “failed to take proper or reasonable care with respect to their U.S. economic sanctions obligations”; (ii) the subsidiaries’ actions allowed a large volume of high-value transactions to be conducted with the designated entity, causing “substantial harm” to the CACR objectives; and (iii) the corporation’s submissions to OFAC “leave substantial uncertainty about the totality of the benefits conferred” to the designated entity through the Canadian customer.
- Daniel P. Stipano to discuss "ACAMS Moneylaundering.com Year-End Compliance Review and 2020 Outlook" at an ACAMS webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference