InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Split en banc 11th Circuit vacates $6.3 million FACTA settlement
On October 28, the U.S. Court of Appeals for the Eleventh Circuit, in a 7-3 en banc decision, vacated a $6.3 million Fair and Accurate Credit Transactions Act (FACTA) class action settlement, concluding the plaintiffs lacked standing because they did not allege any concrete harm. According to the opinion, the named plaintiff filed a FACTA class action against a chocolate retailer, alleging that the retailer printed too many credit card digits on receipts over several years. The complaint only pursued statutory damages and explicitly stated it did “not intend[] to request any recovery for personal injury.” The parties agreed to settle the litigation for $6.3 million prior to the U.S. Supreme Court decision in Spokeo, Inc. v. Robins (holding that a plaintiff must allege a concrete injury, not just a statutory violation, to establish standing). After Spokeo, the district court approved the class action, and class objectors appealed, with one objector arguing that the district court lacked jurisdiction to approve the settlement because the named plaintiff did not allege an injury in fact. On appeal, the 11th Circuit issued multiple opinions, with the first two affirming the settlement approval. The full panel ordered a rehearing en banc, vacating the last opinion.
The en banc panel vacated the district court order approving the settlement, concluding that the named plaintiff lacked standing under Spokeo. Specifically, the panel rejected the named plaintiff’s argument that “receipt of a noncompliant receipt itself is a concrete injury,” noting that “nothing in FACTA suggests some kind of intrinsic worth in a compliant receipt.” Moreover, the panel disagreed with the named plaintiff’s distinction that his claim was a “substantive” violation and not just a “procedural” one, reasoning that “no matter what label you hang on a statutory violation, it must be accompanied by a concrete injury.” Because the complaint did not allege a concrete injury, the panel vacated the order.
In dissent, one judge argued that the named plaintiff plausibly alleged concrete harm by establishing that the retailer’s FACTA violation elevated his risk of identity theft. In the second dissent, another judge asserted that both common law and congressional intent support the conclusion that the plaintiff’s complaint constitutes a concrete injury in fact. And lastly, the third dissent argued that the order should not be dismissed outright because the majority made “assumptions about the risks of identity theft without the benefit of a factual record, expert reports, or adversarial testing of the issue in the district court.”
CFPB settles with ninth lender on misleading VA advertising
On October 26, the CFPB announced a settlement with a ninth mortgage lender for mailing consumers advertisements for Department of Veterans Affairs (VA) mortgages that allegedly contained misleading statements or lacked required disclosures. According to the Bureau, the lender allegedly sent false, misleading, and inaccurate direct-mail advertisements for VA guaranteed mortgage loans to servicemembers and veterans in violation of the CFPA, the Mortgage Acts and Practices – Advertising Rule (MAP Rule), and Regulation Z. Among other things, the Bureau alleged the advertisements (i) stated credit terms that the lender was not actually prepared to offer, such as the interest rate and annual percentage rate applicable to the advertised mortgage; (ii) made misrepresentations about “the existence, nature, or amount of cash or credit available to the consumer in connection with the mortgage”; (iii) failed to include required disclosures; (iv) gave the false impression that the mortgage products would help eliminate or reduce debt; and (v) made misleading comparisons in advertisements involving actual or hypothetical loan terms.
The settlement imposes a civil money penalty of $1.8 million and bans the lender from future advertising misrepresentations similar to those identified by the Bureau. Additionally, the settlement requires the lender to use a compliance official to review mortgage advertisements for compliance with consumer protection laws, and to comply with certain enhanced disclosure requirements.
The latest enforcement action is part of the Bureau’s “sweep of investigations” related to deceptive VA-mortgage advertisements. Previously, the Bureau issued consent orders against eight other mortgage lenders for similar violations, covered by InfoBytes here, here, here, and here.
Parties file unopposed settlement requiring credit union to pay $16 million to resolve insufficient funds fee lawsuit
On October 21, class members filed an unopposed motion for preliminary approval of a class action settlement in the U.S. District Court for the Eastern District of Virginia, which would—if approved—require a national credit union to establish a $16 million common fund, pay all settlement administration costs, and modify its account agreement policy to clarify how it assesses insufficient funds fees. The named plaintiff filed a lawsuit against the credit union alleging that its fee-assessment practices for insufficient funds violated her agreement with the credit union. According to the named plaintiff, the credit union charged multiple $29 insufficient funds fees (NSF fees) per transaction, even though she argued her contract only permitted the credit union to charge one NSF fee per transaction, “regardless of how many times the merchant re-presents the debit item or check for payment.” The credit union, however, denied that its NSF fee assessment practices violated the law or were in breach of member contracts. While the court originally dismissed the suit for failure to state a claim, on appeal, the U.S. Court of Appeals for the Fourth Circuit stayed further proceedings to allow the parties to mediate an agreement. If approved, class members will not be required to file claims to receive settlement benefits.
OFAC reaches $4.1 million settlement with holding company to resolve Iranian Transactions and Sanctions Regulations violations
On October 20, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a more than $4.1 million settlement with a Nebraska-based multinational conglomerate holding company to resolve 144 apparent violations of the Iranian Transactions and Sanctions Regulations engaged in by its indirectly wholly owned Turkish subsidiary. According to OFAC’s web notice, the Turkish subsidiary, in violation of the company’s compliance policies, allegedly sold goods to two third-party Turkish distributors knowing that the goods “would be shipped to a distributor in Iran for resale to Iranian end-users, including several entities later identified as meeting the definition of the Government of Iran.” The Turkish subsidiary also purchased goods manufactured by other company subsidiaries, and allegedly took measures “to obfuscate its dealings with Iran” and conceal these activities from the company. Employees of certain other company subsidiaries also allegedly received communications revealing that these orders may have been intended for Iranian end users; however only one of these subsidiaries warned the Turkish subsidiary that such transactions were prohibited.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the Turkish subsidiary’s management “willfully engaged” in prohibited transactions, and certain senior management “intentionally concealed its dealings with Iran”; (ii) certain company subsidiaries had knowledge, or reason to know, that some of the products sent to the Turkish subsidiary were intended for Iran; and (iii) the Turkish subsidiary “demonstrated a pattern of conduct by knowingly engaging in prohibited dealings for approximately three years.”
OFAC also considered various mitigating factors, such as (i) the company voluntarily self-disclosed the apparent violations, and cooperated with the investigation; (ii) the company and its subsidiaries and affiliates signed a tolling agreement; and (iii) the company has undertaken remedial measures, including enhancing its compliance procedures for foreign subsidiaries, to minimize the risk of similar violations from occurring in the future.
Debt collector settles with CFPB for $15 million
On October 15, the CFPB announced a proposed settlement with the largest U.S. debt collector and debt buyer and its subsidiaries (collectively, “defendants”), resolving allegations that the defendants violated the terms of a 2015 consent order related to their debt collection practices. As previously covered by InfoBytes, the Bureau filed an action against the defendants in September alleging that they collected more than $300 million from consumers by violating the terms of the 2015 consent order—and again violating the FDCPA and CFPA—by, among other things, (i) filing lawsuits without possessing certain original account-level documentation (OALD) or first providing the required disclosures; (ii) failing to provide debtors with OALD within 30 days of the debtor’s request; (iii) filing lawsuits to collect on time-barred debt; and (iv) failing to disclose that debtors may incur international-transaction fees when making payments to foreign countries, which “effectively den[ied] consumers the opportunity to make informed choices of their preferred payment methods.”
The stipulated final judgment, if entered by the court, would require the defendants to pay nearly $80,000 in consumer redress and a $15 million civil money penalty. Moreover, among other things, the defendants are subject to a five-year extension of certain conduct provisions of the 2015 consent order and must disclose to consumers the potential for international-transaction fees and that the fees can be avoided by using alternative payment methods.
OFAC reaches $5.8 million settlement to resolve Cuban Assets Control Regulations violations
On October 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a more than $5.8 million settlement with a New York-incorporated travel assistance services company to resolve 2,593 apparent violations of the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, from roughly June 2010 to January 2015, the company formally codified an indirect payment process in its procedures manual, in which it “intentionally referred” Cuba-related payments to a Canadian affiliate to avoid “processing reimbursement payments directly to Cuban parties and to travelers while they were located in Cuba.” Reimbursements were then sent from the company to the Canadian affiliate for those payments. While the company had a sanctions compliance policy during the time of the apparent violations to screen for individuals or entities on OFAC’s List of Specially Designated Nationals and Blocked Persons, it allegedly failed to comply with screening requirements for countries and regions subject to OFAC prohibitions.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) knew it was illegal to make direct payments to Cuban service providers and therefore formalized the aforementioned referral process; (ii) provided “prohibited post-travel claim reimbursements directly to unauthorized Canadian subscribers who travelled to Cuba”; and (iii) knew of the conduct at issue because the indirect payment process was codified and approved by its CEO.
OFAC also considered various mitigating factors, including that (i) the CACR was later amended to authorize some of the apparent violations; (ii) the company enhanced its sanctions compliance program by, among other things, implementing a formal structure for compliance personnel and conducting sanctions training for all employees; (iii) the company voluntarily disclosed the violations and signed a tolling agreement, including multiple extensions; and (iv) the company terminated the conduct leading to the apparent violations and has undertaken remedial measures to minimize the risk of similar violations from occurring in the future.
Health insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According to the states, cyber attackers infiltrated the company’s systems using malware installed through a phishing email. The data breach resulted in the exposure of consumers’ social security numbers, birthdays, and other personal data. Under the terms of the settlement, the health insurer must pay $39.5 million in penalties and fees, and is required to (i) not misrepresent the extent of its privacy and security protections; (ii) implement a comprehensive information security program, including “regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO”; (iii) implement specific security requirements, including “anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training”; and (iv) schedule third-party assessments and audits for three years.
Separately, the California AG reached a $8.69 million settlement, subject to court approval, in a parallel investigation, which requires the health insurer to, among other things, implement changes to its information security program and fix vulnerabilities to prevent future data breaches.
Previously in 2018, the health insurer reached a $115 million class action settlement, which provided for two years of credit monitoring, reimbursement of out-of-pocket costs related to the breach, and alternative cash payment for credit monitoring services already obtained (covered by InfoBytes here).
OFAC settles Iranian Transactions and Sanctions Regulations violations
On September 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $473,157 settlement with a California-based equipment and software company for six apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR). According to OFAC’s web notice, from roughly January 2016 to June 2016, the company—through a former subsidiary it had since merged with—allegedly reexported U.S. export-controlled test measurement equipment to Iran. Among other things, OFAC noted that prior to the merger, the subsidiary “committed to cease all existing and future business” with certain sanctioned countries, including Iran. However, after the acquisition, certain subsidiary personnel continued to engage in transactions with Iran, with three employees taking “measures to obfuscate from [the company] their dealings with Iran.”
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the subsidiary willfully violated the ITSR by shipping products in order to bypass the company’s directive to cease Iran-related business; and (ii) some of the subsidiary’s senior branch and sales managers knowingly participated in the apparent violations.
OFAC also considered various mitigating factors, including that the company (i) fully cooperated with OFAC’s investigation; (ii) undertook several remedial measures, such as terminating the appropriate employees; (iii) “assess[ed] past and current transactions for compliance with OFAC regulations, implement[ed] mechanisms to halt current transactions, and ensur[ed] that no further transactions involved restricted countries”; and (iv) enhanced its sanctions compliance program to minimize the risk of similar violations from occurring in the future.
OCC announces settlements with former senior executives over account openings
On September 21, the OCC announced settlements with three former senior executives of a national bank for their roles in the bank’s incentive compensation sales practices. According to consent orders (see here and here), the OCC alleged that two of the individuals either “knew or should have known” about the sales misconduct problem and its root cause, but allegedly failed to, among other things, appropriately consider concerns about the “unreasonably high sales goals” and the associated risks of incentivizing sales of secondary deposit products. The third individual—previously in charge of identifying human resource risks—allegedly approved incentive compensation plans that overly incentivized sales and failed to respond to or escalate information received about unreasonable sales goals. In addition to paying civil money penalties, the individuals—who did not admit or deny wrongdoing—have each agreed to cooperate with the OCC in any investigation, litigation, or administrative proceeding related to sales misconduct at the bank.
As previously covered by InfoBytes, in January, the OCC reached settlements with three other former senior executives in January for their alleged roles in the bank’s sales practices misconduct, and issued notices of charges against five others.
OFAC settles with telecommunications company over sanctions violations
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $894,111 settlement with a New York-based telecommunications systems and software company for four apparent violations of the Sudanese Sanctions Regulations (SSR). According to OFAC’s web notice, between June 2014 and October 2015, the company—through its wholly owned subsidiary—allegedly “indirectly exported warrantied satellite equipment and facilitated services and training to a government-owned entity in Sudan” in apparent violation of the SSR. Among other things, OFAC noted that the company and its subsidiary knew that the end-user of the equipment and services was the Sudan Civil Aviation Authority (SCAA), but the companies still organized the shipment of equipment through a Canadian company despite receiving multiple warnings about OFAC’s export restrictions for Sudan. Once it became known that the SCAA was the ultimate end-user, OFAC contended that the subsidiary’s former Director of Logistics and Export Compliance Official allegedly “attempted to transfer OFAC compliance obligations from [the subsidiary] to the Canadian [c]ompany.” Additionally, OFAC denied the subsidiary’s license application to provide certain warranty services.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the subsidiary “demonstrated reckless disregard for U.S. sanctions requirements and failed to exercise a minimal degree of caution or care by approving warranty services for equipment provided to SCAA while an OFAC license was still pending”; (ii) the subsidiary did not heed warning signs indicating the transactions could have led to the apparent violations; and (iii) the subsidiary’s explanations in response to OFAC subpoenas and a request for information were inconsistent, which required OFAC expending “significant additional time and resources” building an accurate record of the apparent violations. OFAC also considered that it had not issued a violation against the company or its subsidiary in the five years preceding the earliest transaction at issue.