InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
National bank to pay $2 million in mortgage fee violation class action
On December 19, the U.S. District Court for the Central District of California granted final approval of a settlement in a $2 million class action resolving allegations that a national bank violated California’s Rosenthal Fair Debt Collection Practices Act (RFDCPA) and Unfair Competition Law (UCL). According to the order for preliminary approval, the plaintiff class alleged that the bank improperly charged and collected transaction fees when processing mortgage payments. The district court certified the class, which included “all persons who have or had a California address, and at any time between June 1, 2016 and the date of the Court’s order preliminarily approving the settlement, paid at least one transaction fee to [the defendant] for making a payment on a residential mortgage loan serviced by [the defendant] by telephone, IVR, or the internet.” The district court determined that the settlement agreement was “reasonable and adequate.” The two class representatives who filed the suit were awarded $1,500 each, and their attorneys were awarded $499,000 in fees.
District Court approves $2.8 million settlement in FDCPA convenience fee class action
On December 22, the U.S. District Court for the Southern District of Florida granted preliminary approval of a $2.8 million settlement in an FDCPA class-action suit resolving allegations that convenience fees were charged when consumers made payments on their mortgages over the phone or online. According to the suit, the plaintiffs claimed the defendant did not charge processing fees if borrowers made payments by check or signed up for automatic monthly debits from their bank accounts. The plaintiffs further argued that the processing fees were “illegal and improper because neither the mortgages themselves nor applicable statutes authorize such fees.” The parties agreed to mediation in April 2022, and a motion for preliminary approval of a settlement was filed in August. A coalition of state attorneys general from 32 states and the District of Columbia, led by the New York AG filed an amicus brief in the district court opposing the original proposed $13 million settlement in the suit (covered previously by InfoBytes here). The AGs outlined concerns with the proposed settlement, including that (i) the relief provided to class members violates various state laws, and that the defendant seeks to ratify fees in an “unwritten, mass amendment” that violates state laws and regulations; (ii) class members only receive an “inadequate” one-time payment, while the defendant may continue to charge excessive fees for the life of the loan; and (iii) low- and moderate-income borrowers are not treated equitably under the proposed settlement. Under the terms of the new settlement, members of the class who do not opt out of the settlement will receive a share of the $2.8 million. The settlement also reduces the fees class members will have to pay when making payments online or via the telephone for the next two years. The defendant also agreed to add additional disclosures to its website to increase borrower awareness of alternative payment methods that could have lower fees or no fees. Defendant’s representatives will also receive additional training to ensure they provide additional information and disclosures about convenience fees when speaking with customers.
On June 16, the court granted final approval of the settlement.
District Court preliminarily approves lending discrimination settlement
On December 15, the U.S. District Court for the Northern District of California preliminarily approved a $480,000 class action settlement concerning whether an online lender allegedly denied consumers’ applications based on their immigration status. Plaintiffs filed a putative class action against the defendants, alleging the lender denied their loan applications based on one of the plaintiff’s Deferred Action for Childhood Arrivals (DACA) status and the other plaintiff’s status as a conditional permanent resident (CPR). Plaintiffs claimed that these practices constituted unlawful discrimination and “alienage discrimination” in violation of federal law and California state law. Plaintiffs also alleged that the defendants violated the FCRA by accessing their credit reports without a permissible purpose. (Covered by InfoBytes here.) Under the terms of the preliminarily approved settlement, the defendants would be required to pay $155,000 into a settlement fund, as well as up to $300,000 in attorneys’ fees and $25,000 in administrative costs. The defendants have also agreed to change their lending policies to ensure DACA and CPR applicants are evaluated for loan eligibility based on the same terms as U.S. citizens.
The district court noted, however, that the proposed settlement includes a “clear sailing arrangement,” which provides that the defendants will not oppose plaintiffs’ motion for attorneys’ fees and costs provided the requested amount does not exceed $300,000. Referring to an opinion issued by the U.S. Court of Appeals for the Ninth Circuit in which the appellate court warned that clear sailing arrangements are “important warning signs of collusion” because they show an increased “likelihood that class counsel will have bargained away something of value to the class,” the district court explained that it intends to “carefully scrutinize the circumstances and determine what attorneys’ fee awards is appropriate in this case.”
DOJ settles with Alabama housing authority on discrimination allegations
On December 15, the DOJ announced the approval of a consent decree by the U.S. District Court for the Northern District of Alabama, which resolves a Fair Housing Act lawsuit against an Alabama public housing authority, as well as several related parties, accused of engaging in racial steering. According to the DOJ, the defendants allegedly maintained largely segregated housing and steered Black applicants away from several overwhelmingly white housing communities to two predominantly Black housing communities. In the DOJ’s investigation, tenants and residents reportedly highlighted “the deep psychological stigma and harm suffered by hundreds of Black families who have lived in segregated housing for generations.” Under the consent decree, the defendants must pay $275,000 in damages to 23 current or former tenants who were allegedly harmed by the race discrimination, as well as a $10,000 civil money penalty. Among other requirements, the defendants must (i) implement policies and procedures to remedy the alleged segregation and to ensure applicants are not offered housing community units based on their race or color; (ii) undergo fair housing training; and (iii) periodically submit compliance reports to the DOJ.
District Court approves $4.24 million overdraft settlement
On December 9, the U.S. District Court for the Southern District of Florida granted final approval to a $4.24 million class action settlement resolving allegations related to a defendant bank’s overdraft fee practices. Plaintiff alleged breach of contract claims related to the defendant’s practice of charging overdraft fees on checks and automated clearing house transactions that were paid by the defendant despite customer accounts having insufficient funds. The overdraft fees were allegedly charged after the transaction was resubmitted by a merchant or third party after having previously been returned unpaid by the defendant for insufficient funds. The parties reached a settlement in which the defendant will pay $4.24 million into a settlement fund to provide relief to class members (defined as all current and former consumer checking account holders who were charged at least one retry overdraft fee). The settlement also include $1.4 million in attorneys’ fees. A service award for the class representative was denied, however, with the court explaining that the law in its circuit makes “clear that incentive awards ‘that compensate a class representative for [her] time and rewards her for bringing a lawsuit’ are prohibited.”
Hair clinic must pay $500,000 to resolve data breach
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.
OFAC settles with virtual currency exchange to resolve IP address screening deficiencies
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $362,158 settlement with a global virtual currency exchange for allegedly exporting services to users who appeared to be located in Iran when they engaged in virtual currency transactions on the exchange’s platform. According to OFAC’s web notice, the exchange’s platform allows users to buy, sell, hold, or exchange cryptocurrencies. Users can also trade fiat currency for cryptocurrency on the platform. The exchange’s anti-money laundering and sanctions compliance program screens customers at onboarding and daily thereafter, and reviews information about IP addresses generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts and conducting transactions. OFAC stated, however, that between October 2015 and June 2019, the exchange allegedly processed 826 transactions totaling roughly $1.6 million on behalf of individuals who appeared to be in Iran when the transactions happened. OFAC maintained that because the exchange failed to implement IP address blocking on transactional activity across its platform, “account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.” As a result, the exchange allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC determined that the exchange failed to exercise due caution or care for its sanctions compliance obligations by only applying its geolocation controls at the time of onboarding and not with respect to subsequent transactional activity even though it knew customers were located worldwide.
OFAC also considered various mitigating factors, including that the exchange has not received a penalty notice from OFAC in the preceding five years, the exchange voluntarily self-disclosed the alleged violations and undertook significant remedial measures, such as (i) “adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts” on the exchange’s platform; (ii) implementing blockchain analysis tools to assist with sanctions monitoring; (iii) expanding staff and providing compliance training; (iv) adding “additional screening capabilities to ensure compliance with OFAC’s ‘50 Percent Rule,’ including detailed reports on beneficial ownership; (v) contracting a vendor to assist with the identification and nationality verification through the use of artificial intelligence tools; and (vi) implementing automated controls designed to block certain accounts. In addition, the exchange agreed to invest an additional $100,000 in certain sanctions compliance controls as part of the settlement.
Providing context for the settlement, OFAC stated that this action “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions”—both at the time of onboarding and throughout the lifetime of the account.
Tech company to pay $391.5 million to resolve data tracking allegations
On November 10, forty states and a multinational technology company reached a $391.5 million settlement resolving allegations that the company tracked users’ locations even after they believed the feature was turned off. According to the assurance of voluntary compliance, the company allegedly misrepresented and omitted, among other things, material information regarding the location history and web and app activity settings, which “confused users about how location information would be captured, stored, and used without users’ knowledge or consent.” Additionally, the company allegedly used deceptive and unfair practices in a setting “that purports to allow users to opt out of personalized advertising and allows users to ‘control’ [the company’s] use of their location information.” The company agreed to, among other things: (i) “issue a pop-up notification to users who have location history or web & app activity enabled at the time of the notification”; (ii) “send an email to users who have location history or web & app activity enabled at the time of the notification”; and (iii) design and present a location technologies page “in a clear and conspicuous disclosure.”
District Court approves payday settlement
On November 10, the U.S. District Court for the Southern District of Mississippi issued a final settlement order resolving allegations that a Mississippi-based payday lender violated the CFPA in connection with check cashing services and small dollar loans. As previously covered by InfoBytes, the CFPB filed a complaint against two Mississippi-based payday loan and check cashing companies for allegedly violating the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices.
In March 2018, a district court denied the payday lenders’ motion for judgment on the pleadings, rejecting the argument that the Bureau's structure unconstitutional and that the agency’s claims violate due process. The U.S. Court of Appeals for the Fifth Circuit agreed to hear an interlocutory appeal on the constitutionality question, and, prior to the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB, a divided panel held that the CFPB’s single-director structure is constitutional, finding no constitutional defect with allowing the director of the Bureau to only be fired for cause (covered by InfoBytes here). The order noted that the 5th Circuit voted sua sponte to rehear the case en banc and issued an opinion in which the majority vacated the district court’s opinion as contrary to Seila Law. The majority did not, however, direct the district court to enter judgment against the Bureau because, though the Supreme Court had found that the director’s for-cause removal provision was unconstitutional, it was severable from the statute establishing the Bureau (covered by a Buckley Special Alert). The majority determined that the “time has arrived for the district court to proceed” and stated it “place[s] no limitation on the matters that that court may consider, including, without limitation, any other constitutional challenges.”
According to the settlement, the owner and president of the company must pay a civil money penalty of $899,350 to the Bureau “by reason of the [UDAAP violations] alleged in the Complaint.” However, the order further noted that the amount is remitted by $889,350 because he paid “that amount in fines to the Mississippi Department of Banking and Consumer Finance.” The district court also entered a separate order dismissing the lawsuit with prejudice.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.