InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Announces Two Separate Settlements to Resolve Allegedly Deceptive Telemarketing Schemes
On September 1, the FTC issued a press release announcing a settlement with a Utah-based operation and its owner (Defendants) to resolve allegations that the company had created merchant accounts to help telemarketers process consumer credit card transactions in violation of the Federal Trade Commission Act (FTC Act) and the Telemarketing Sales Rule (TSR). According to the complaint, Defendants nominated individuals to serve as “principals” of straw companies, which then were used to open merchant accounts to assist telemarketers who did not meet the requirements or standards for opening the accounts on their own. The telemarketers, in turn, allegedly deceived consumers by making false promises regarding business opportunities that they claimed would generate substantial income, and processed credit card payments from consumers using the straw company merchant accounts for the allegedly “worthless opportunities.” Under the terms of the order, Defendants are permanently banned from the payment processing business, including acting as an independent sales organization or sales agent, and must pay a judgment of more than $3 million. The FTC suspended the judgment due to the Defendants’ inability to pay, but noted that it “will become due immediately if [Defendants] are found to have misrepresented their financial condition.”
Separately on August 31, the FTC announced that a default judgment had been issued in a pending action brought against the operators of a deceptive telemarketing scheme who allegedly targeted Spanish-speaking consumers by pretending to be affiliated with the Peruvian government and deceived consumers by giving the impression that the calls were from emergency responders or by people the consumers had provided as references. The allegations, which violated the FTC Act and the TSR, claimed that consumers were presented opportunities to participate in language courses at discounted prices and were misled about prizes they had won. When consumers declined to participate or cancelled delivery of the prizes, the telemarketers made “false and threatening” claims of “legal or financial consequences,” allegedly posing as lawyers or government officials. Under the terms of the default judgment, the telemarketers (i) are ordered to pay $6.3 million as equitable monetary relief; (ii) are banned from telemarketing activities; and (iii) prohibited from misrepresenting material facts.
FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”
According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.
The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.
Mortgage Company, Real Estate Services Companies Reach $17 Million Class Action Settlement for Alleged RESPA Violations
On August 25, a national mortgage company and a real estate services family of companies (Defendants) together entered into a $17 million settlement to end a putative class action lawsuit accusing them of arranging kickbacks for unlawful referrals of title services in violation of the Real Estate Settlement Procedures Act (RESPA). The complaint, filed in 2015 in the U.S. District Court for the Central District of California, accused Defendants—along with various affiliates—of violating RESPA by allegedly facilitating the exchange of unlawful referral fees and kickbacks through an affiliated business arrangement, while also directing various banks to refer title insurance and other settlement services to a subsidiary in the real estate services family of companies without informing customers of the relationship between the entities. According to a memorandum in support of the motion seeking preliminary approval of the settlement, the real estate services family of companies was “obligated to refer their customers exclusively to [the mortgage company] for mortgage loans, and, in return, [the mortgage company] was required to refer all settlement services back to [the real estate services enterprise’s] subsidiaries.” While a federal judge dismissed the first and second amended complaints “on the basis that Plaintiffs failed to plead sufficient facts for equitable tolling of RESPA’s one-year statute of limitations,” the same judge denied Defendants’ motion to dismiss a third amended complaint because “Defendants’ contention regarding equitable tolling for the statute of limitations was ‘better resolved in either a motion for summary judgment or trial.’” A fourth amended complaint, filed in July 2017, amended certain claims and added additional class plaintiffs, well after settlement discussions had started.
A stipulation of settlement was filed alongside the motion for preliminary approval, in which Defendants continued “to deny each and all of the claims and contentions alleged in the [a]ction . . . [but] have concluded that the further conduct of the [a]ction against them would be protracted and expensive.” Furthermore, the stipulation noted that “substantial amounts of time, energy and resources have been and, unless this [s]ettlement is made, will continue to be devoted to the defense of the claims asserted in the [a]ction.” The proposed settlement class consists of more than 32,000 transactions related to borrowers who closed on mortgage loans originated by the mortgage company between approximately November 2014 through November 2015, and who paid any title, escrow or closing related charges to the real estate services companies. The proposed settlement stipulates that Defendants must pay $17 million into a settlement fund to be used to provide cash payments to class members, as well as a portion that will go towards class counsel attorney fees and litigation expenses pending court approval.
National Bank, Debt Collection Agency Reach $4.3 Million Class Action Settlement for Alleged FDCPA Violations
On August 21, a national bank and a debt collection agency (Defendants) together entered a $4.3 million settlement in a Fair Debt Collection Practices Act (FDCPA) class action lawsuit brought by borrowers who alleged the Defendants unlawfully attempted to collect certain mortgage payments. The July 2015 complaint, filed in the U.S. District Court for the Southern District of California, accused Defendants of violating the FDCPA, California’s Rosenthal Fair Debt Collection Practices Act, and California’s Unfair Competition Law, Business and Professions Code when they sent more than 20,000 allegedly misleading, unenforceable payment notices to borrowers after the bank had released the liens on the properties securing the mortgage loans.
According to a memorandum in support of the motion seeking preliminary approval of the settlement, approximately three percent of the 23,376 members of the settlement class members made payments on unenforceable loans. The rest of the class did not make any payments. After three mediation sessions and a series of negotiations, Defendants agreed to award class members amounts based on their placement into one of three tranches: (i) tranche 1: borrowers who made at least one “challenged payment” on a purchase money mortgage; (ii) tranche 2: borrowers who made at least one challenged payment on a non-purchase money mortgage; and (iii) tranche 3: borrowers who received an “allegedly deceptive payment communication” but did not make any challenged payments. The settlement terms stipulate that class members in tranche 1 will receive an initial payment worth 76 percent of the total challenged payments they made, and members in tranche 2 will receive an initial distribution of 38 percent of what they paid. Class members from Tranche 1 and Tranche 2 will be eligible for a second distribution if sufficient funds remain available. An approximately $22 payment will be sent to the majority of the class members (who fall into tranche 3), which will be paid from the $500,000 maximum statutory civil penalty available under the Rosenthal Act. Class members are not required to do anything to receive their award.
Massachusetts AG Directs Refunds to Homeowners Affected by Force-Placed Insurance Policies
On August 11, Massachusetts Attorney General Maura Healey announced that “a major Massachusetts insurance company is paying more than $6.3 million in refunds to more than 4,500 homeowners who were improperly charged” for force-placed property insurance. According to the state’s investigation, the company unnecessarily charged some homeowners by force-placing duplicative insurance products, and overcharged others by force-placing commercial policies instead of less expensive residential policies. The company had settled with the AG’s Office in November 2015, paying $565,000 to the state and agreeing to an audit that would identify affected Massachusetts homeowners for refunds. According to the AG’s press release, the company “cooperated fully with the audit.”
FTC Announces Settlement with Ride-Sharing Company Over Privacy Allegations
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
DOJ Announces Settlements with Non-Bank Mortgage Lender to Resolve Alleged False Claims Act Violations
On August 8, the DOJ announced a $74.5 million settlement with a non-bank mortgage lender and certain affiliates to resolve potential claims that they violated the False Claims Act by knowingly originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development and the Veterans Administration (VA), and by selling certain loans to Fannie Mae and Freddie Mac that did not meet applicable requirements. According to the terms of the two settlement agreements, $65 million of the settlement will be paid to resolve allegations relating to FHA loans, and $9.45 million will be paid to resolve potential civil claims relating to certain specified VA, Fannie Mae, and Freddie Mac loans. The settlements also fully resolved a False Claims Act qui tam lawsuit that had been pending in the United States District Court for the Eastern District of New York.
The settlement included no admission of liability by the lender. The lender issued a statement responding to the settlements: “We have agreed to resolve these matters, which cover certain legacy origination and underwriting activities, without admitting liability, in order to avoid the distraction and expense of potential litigation. While we cooperated fully in these investigations since receiving subpoenas in 2013, we concluded that settling these matters is in the best interest of [the company] and its constituents.”
National Insurance Company Settles States’ Investigation over 2012 Data Breach, Pays $5.5 Million in Settlement
On August 9, a national insurance company and its wholly-owned subsidiary reached a $5.5 million settlement with 32 states and the District of Columbia to resolve the states’ investigation into a 2012 data breach, which allegedly caused the personal information of certain consumers to be compromised—including social security and driver’s license numbers, as well as credit scoring information and other data. According to the states’ investigation, the October 2012 data breach occurred when hackers were able to exploit a vulnerability in the company’s website application hosting software. A security patch was later applied. Under the terms of the Assurance of Voluntary Compliance, the company agreed to a number of requirements, including:
- providing an online disclosure notifying consumers that personal information is retained even if they do not become insured;
- appointing an individual to oversee company security practices and manage and monitor software and application security updates, including security patch monitoring; and
- hiring an outside, independent provider to conduct a “patch management audit” of the company’s covered systems.
The majority of the requirements last three years.
The company, while admitting that it experienced a data breach, denied any liability or wrongdoing.
Massachusetts AG Announces Settlement with Law Firm Over Debt Collection Practices
On July 27, Massachusetts Attorney General Maura Healey announced a $1 million settlement with the largest debt collection law firm in the state to resolve allegations that the firm engaged in unfair and unlawful debt collection practices. According to a lawsuit filed by the Attorney General’s office in 2015, the firm began filing tens of thousands of debt collection lawsuits each year beginning in 2011, at times targeting the wrong consumers or filing claims based on unsubstantiated debts. The firm also allegedly demanded payment from consumers who relied on social security or other exempt income, despite being provided evidence that the income was exempt from court-ordered collection. Under the terms of the settlement, the company is required to reform its debt collection practices by adhering to guidelines including the following:
- The firm is required to obtain and review “original account-level documentation” prior to initiating a collection to determine whether a consumer is obligated to pay the debt such as, among others, (i) an authenticated bill of sale reflecting the transferred ownership of debt; (ii) original documents reflecting the charge-off balance; (iii) contractual terms and conditions; and (iv) original consumer signed documents showing proof the account was opened;
- The firm is prohibited from engaging in threatening actions to collect on a debt initiated on behalf of a collector or debt buyer, and is further restrained from commencing a collection suit without possessing a final judgment or execution against the consumer, or acceptable account-level documentation;
- The firm cannot initiate a collection suit against a consumer until an attorney listed on the company in the collection suit has reviewed the pertinent information and made the determination that the debt owed is not subject to bankruptcy proceedings and certifies in writing that the collection suit is in compliance.
The settlement terms also stipulate that the firm must comply with collection terms and restrictions concerning exempt and protected income, must adhere to time-barred debt collection restrictions, is enjoined from using false and misleading affidavits to collect debts, and must submit enhanced compliance reporting to AG Healey for review. Additionally, the firm previously paid $1 million to the state to be used in one or more of the following ways: (i) as payments to consumers; (ii) to assist with final judgment facilitation; (iii) to be added to the state’s general fund and/or the Local Consumer Aid Fund; and (iv) to fund programs that “address the negative effect of unfair and deceptive practices related to debt collection.”
International Bank Settles RMBS Claims with FHFA for $5.5 Billion
On July 12, the Federal Housing Finance Agency (FHFA), as conservator of Fannie Mae and Freddie Mac (GSEs), announced a $5.5 billion settlement with an international bank. The settlement resolves FHFA’s claims, lodged in a federal lawsuit in the District of Connecticut, that the bank violated federal and state securities laws in relation to residential mortgage-backed securities (RMBS) trusts purchased by the GSEs between 2005 and 2007. The settlement covers all RMBS “issued, sponsored, sold, or underwritten by . . . [d]efendant between January 1, 2004 and December 31, 2008,” which is intended to include all securities for which FHFA brought claims against the bank in the District of Connecticut action. Under the terms of the agreement, the bank will pay $4.525 billion of the settlement amount to Freddie Mac, and approximately $975 million to Fannie Mae.