InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC bans respondents from surveillance business
On September 1, the FTC announced that a data monitoring application and its CEO (collectively, “respondents”) will be permanently banned from the surveillance industry for failing to provide reasonable data security for consumers’ personal information by allegedly “secretly harvesting and sharing data on people’s live location, web use, and online activities through their product’s hidden device hack.” The respondents allegedly sold real-time access to their surveillance system, which allowed stalkers and domestic abusers to “stealthily track” unknowing victims.
According to the complaint, the respondents violated Section 5 of the FTC Act by committing unfair or deceptive business practices in using unauthorized personal information and failing to secure such data in which “victims continue to experience substantial harm, including injury in the form of depression, anxiety, and ongoing fear for one’s safety,” even after the stalking or domestic abuse ended. The complaint detailed the covert monitoring products and services offered by respondents once their application is installed, including capturing and logging: email, SMS messages, call history, GPS location and live location, web history, contacts, pictures, calendar, video chats, files downloaded on the device, notifications, among other functions depending on cost.
Under the terms of the proposed settlement, the respondents are: (i) banned from offering, promoting, selling, or advertising any surveillance app, service, or business; (ii) required to delete any information illegally collected from their apps; and (iii) required to notify owners of devices that their devices might have been monitored and the devices may not be secure. This is the agency’s second case “brought against stalkerware apps, and the first where the FTC is obtaining a ban.” According to a statement released by FTC Commissioner Rohit Chopra, the agency is also “seeking public comment on banning [the defendants] from licensing, marketing, or offering for sale surveillance products,” which is “a significant change from the agency’s past approach.”
OFAC reaches $2.3 million settlement with Chinese bank
On August 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a roughly $2.3 million settlement with a UK subsidiary of a Chinese financial institution for allegedly processing transactions in violation of the Sudanese Sanctions Regulations, “which prohibited the exportation, directly or indirectly, to Sudan of any goods, technology, or services from the United States.” According to OFAC’s web notice, between September 2014 and February 2016, the bank processed 111 commercial transactions totaling more than $40 million through U.S. correspondent banks on behalf of parties in Sudan. In conducting a lookback review to identify potential Sudan-related transactions, the bank identified two customers who processed transactions through the U.S. financial system. For both of these customers, the bank’s internal customer database did not reference Sudan in the name or address fields, and messages processed on behalf of these customers by the bank through U.S. banks also failed to include any references to Sudan.
In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that (i) the bank demonstrated reckless disregard for U.S. sanctions regulations by processing the transactions “despite having account and transactional information indicating the Sudanese connection to the accounts and in contravention of the bank’s existing policies and procedures”; (ii) certain bank personnel responsible for processing the transactions knew that the payments were related to entities in Sudan; (iii) the bank conferred economic benefit to a comprehensively sanctioned country; and (iv) the bank “is a commercially sophisticated financial institution that processes transactions internationally.”
OFAC also considered various mitigating factors, including, among other things, that the bank (i) has not received a penalty notice from OFAC in the preceding five years; (ii) self-identified the alleged violations, cooperated with OFAC’s investigation, conducted a lookback, and entered into a tolling agreement; and (iii) has undertaken remedial measures, including enhancing policies and procedures to improve compliance with U.S. sanctions when processing payments through the U.S.
District Court approves RESPA class action settlement
On August 19, the U.S. District Court for the District of Maryland granted preliminary approval of a proposed class action settlement claiming a mortgage company engaged in an allegedly illegal kickback scheme with a title company. According to the memorandum in support of the plaintiffs’ motion for preliminary approval, the title company paid, and the mortgage company received and accepted, kickbacks in exchange for the mortgage company’s “assignment and referral of residential mortgage loans, refinances, and reverse mortgages to [the title company] for title and settlement services.” This conduct, the plaintiffs contended, violated RESPA and RICO. While the mortgage company denied all substantive allegations and liability, the parties reached a proposed settlement, in which class members (defined as borrowers with federal mortgage loans originated by the mortgage company for which the title company provided settlement services) will each receive approximately $3,200 from a $990,000 settlement fund. The preliminarily approved settlement also provides for class counsel fees and expenses and class representative service awards for a total not to exceed roughly $1.27 million.
District Court preliminarily approves $12 million class action settlement over automated mortgage errors
On August 17, the U.S. District Court for the Southern District of Ohio granted preliminary approval of a proposed settlement in a class action that claimed a national bank’s automated mortgage loan modification tools failed to approve borrowers due to technical issues. Class members (defined as borrowers who qualified during a specified time period for a home loan modification or repayment plan pursuant to the requirements of government-sponsored enterprises, FHA, or the Department of Treasury’s Home Affordable Modification Program that “were not offered a home loan modification or repayment plan by [the bank] because of excessive attorneys’ fees being included in the loan modification decision process” and whose homes were not sold in foreclosure) sued the bank alleging it “failed to detect or ignored multiple systematic errors in it automated decision-making software.” This software, class members claimed, is used to create automated calculations and determine whether consumers in default are eligible for loan modifications. According to class members, the bank allegedly “failed to adequately test, audit, and verify that its software was correctly calculating whether customers met threshold requirements for a mortgage modification” and failed to regularly and properly audit its software for compliance with government requirements, thus allowing errors to remain uncorrected. Class members further claimed that the bank apparently took several years to implement new controls and disclose the error. Under the terms of the preliminarily approved settlement, the bank must pay $12 million in relief to the settlement class.
District Court approves $28 million class action settlement over recorded calls
On August 16, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated California’s Invasion of Privacy Act by recording calls without receiving customers’ permission. Class members, comprised of California businesses who did not sign a contract for merchant processing services with the servicer, filed suit against the defendants in 2016 claiming the call center placed sales appointment calls to the businesses without disclosing that the calls were being recorded. The defendants denied any liability or knowledge of the alleged conduct, and continued to maintain “that there was no principal-agent relationship with [the call center] and, even if there were such a relationship, [the call center] acted outside the scope of its authority by illegally recording calls.” The preliminarily approved settlement will require the defendants to pay $28 million, of which up to $5,000 will be paid for each eligible call that a class member received during the class period.
District Court approves supplemental $22 million class action foreclosure settlement
On July 26, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed supplemental class settlement, adding new class members who were not part of the list of borrowers included in the court’s October 2020 original settlement order. The supplemental settlement provides more than $21.8 million for additional class members who lost their homes after allegedly being denied loan modifications from a national bank. Class members include borrowers who allegedly should have qualified for loan modifications but were not offered a home loan modification or repayment plan “due to excessive attorney’s fees being included in the loan modification decisioning” and “whose home[s] [the bank] sold in foreclosure.” According to the court’s order granting class certification, a software glitch allegedly caused a calculation error, which resulted in certain fees being misstated and led to incorrect mortgage modification denials. The original settlement set aside $1 million to compensate borrowers who endured “severe emotional distress” as a result of the error, and the supplemental settlement will provide new class members the same opportunity to apply for additional settlement amounts.
Mississippi AG reaches $3.7 million settlement with auto finance company
On July 21, the Mississippi attorney general announced a settlement with an auto finance company to resolve alleged violations of the Mississippi Consumer Protection Act. The AG claimed the auto finance company, among other things, allegedly placed consumers into loans with a high probability of default and engaged in aggressive collection practices. Under the terms of the settlement, the auto finance company will pay $3.7 million to the state, including $1.8 million in consumer restitution, and will stop collecting on loans allegedly extinguished under Mississippi law. Additionally, the auto finance company (i) will account for a borrower’s ability to pay and set a reasonable debt-to-income threshold; (ii) may not require dealers to sell any ancillary products; (iii) will “monitor dealers for possible inflation, power booking, or expense deflation”; (iv) may “not misrepresent a consumer’s prospect of redeeming a vehicle that has been repossessed”; (v) may not require borrowers to make payments through methods requiring additional third-party fees; and (vi) will notify all relevant credit reporting agencies that the borrowers’ debts have been extinguished.
District Court grants final approval to grocery chain data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.
OFAC reaches $1.4 million settlement with money transmitter
On July 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $1.4 million settlement with a New York-based online money transmitter for 2,260 apparent violations of multiple sanctions programs. According to OFAC’s web notice, between February 4, 2013 and February 20, 2018, the company allegedly processed 2,241 payments for parties located in sanctioned jurisdictions and regions, including the Crimea region of Ukraine, Iran, Sudan, and Syria, as well as 19 payments on behalf of sanctioned persons identified on OFAC’s List of Specially Designated Nationals and Blocked Persons. Identified deficiencies in the company’s sanctions compliance program related to screening, testing, auditing, and transaction review procedures allowed persons in these jurisdictions and regions and those on the SDN List to engage in roughly $802,117.36 worth of transactions, OFAC stated. The apparent violations—related to commercial transactions that the company processed on behalf of its corporate customers and card-issuing financial institutions—allegedly occurred as a result of weak algorithms, business identifier code screening failures, backlogs, and a failure to monitor IP addresses or flag addresses in sanctioned locations.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the company failed to exercise sufficient caution or care for its sanctions compliance obligations; (ii) the company had reason to know users were located in sanctioned jurisdictions and regions based on common indications it had within its possession; and (iii) the apparent violations harmed six different sanctions program.
OFAC also considered various mitigating factors, including that (i) senior management quickly self-disclosed the apparent violations upon discovery and provided substantial cooperation during the investigation; (ii) the company has not received a penalty notice from OFAC in the preceding five years; and (iii) the company has taken remedial measures to minimize the risk of recurrence, including terminating the conduct leading to the apparent violations, retraining compliance employees, enhancing screening software, putting flagged transactions into a pending status rather than completing them, and conducting a daily review of customers’ and counter-parties’ identification documents.
OFAC reaches multiple settlements with companies that conspired to export equipment to Iran
On July 19, OFAC announced a $415,695 settlement with the United Arab Emirates (UAE)-based head regional office of a Sweden-based equipment company for apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR). According to OFAC’s website notice, between 2015 and 2016, the UAE company allegedly conspired with Dubai- and Iran-based companies to export equipment from the U.S. to Iran. As a result, the UAE company caused its U.S.-based affiliate to indirectly export goods to Iran by incorrectly listing a Dubai-based company on its export documentation as the end-user. The conspiracy also allegedly included the organization of additional sales of the equipment in the same manner as the initial sale, which ultimately ended when the U.S. Department of Commerce’s Bureau of Industry and Security requested post-shipment verification that showed certain products in question were reexported to Iran.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the UAE company did not voluntarily self-disclose the apparent violations; (ii) the UAE company “willfully violated the ITSR” by conspiring to export goods from the U.S. to Iran by “obfuscating the end-user’s identity from its U.S. affiliate,” thus causing the U.S. affiliate to violate the ITSR; (iii) multiple managers had actual knowledge of the conduct giving rise to the apparent violations; and (iv) the UAE company “caused harm to the integrity of the ITSR by circumventing U.S. sanctions and conferring an economic benefit to Iran’s energy sector.”
OFAC also considered various mitigating factors, including that (i) none of the relevant subsidiaries, including the UAE company, have received a penalty notice from OFAC in the preceding five years; (ii) the UAE company, through the U.S. affiliate, conducted an internal investigation resulting in numerous remedial measures, including taking disciplinary actions against participating individuals, adopting an enhanced review and screening process for Iran-related transactions, and conducting additional in-person training; and (iii) the UAE company, through the U.S. affiliate, provided substantial cooperation to OFAC during the investigation.
OFAC separately reached a $16,875 settlement with a Virginia-based U.S. subsidiary for its apparent ITSR violations arising from this matter. The Virginia subsidiary did not voluntarily self-disclose the apparent violations, but agreed to the settlement on behalf of a former Pennsylvania-based subsidiary that allegedly referred a known Iranian business opportunity to its foreign affiliate in Dubai. This foreign affiliate, OFAC claimed, then “orchestrated a scheme to export goods” from the U.S. to Iran.