Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC reaches settlement with dealership to resolve UDAP and fair lending allegations

    Federal Issues

    On May 27, the FTC announced settlements with a New York City auto dealer and its general manager (collectively, “defendants”) to resolve allegations that the defendants engaged in illegal auto financing sales practices and maintained a policy of charging African-American and Hispanic car buyers more for financing that similarly situated non-Hispanic white consumers. The complaint alleges that the defendants violated the FTC Act, TILA, and ECOA. According to the complaint, the defendants engaged in deceptive and unfair practices by, among other things, allegedly (i) advertising low sales prices but failing to honor them; (ii) inflating the cost through a variety of methods, including telling buyers that they had to pay unnecessary charges to purchase “certified pre-owned” cars, double-charging consumers for taxes and fees without their consent, and altering the terms in the middle of a sale; and (iii) charge higher financing “markups” and fees to African-American and Hispanic customers.

    The defendants—who neither admit nor deny the allegations—have each agreed under the terms of the settlements (see here and here) to pay $1.5 million in consumer redress. The orders also prohibit the defendants from misrepresenting the cost or terms to purchase, lease, or finance a car, and require the defendants to obtain express, informed buyer consent for all charges and provide clear financing disclosures. The defendants are also banned from engaging in unlawful credit discrimination, and are prohibited from engaging in credit transactions unless they establish a fair lending program that will, among other things, provide training for employees and cap the allowed rate markups.

    The Commission vote authorizing the filing of the complaint and stipulated final order was 5-0. Commissioner Chopra issued a concurring statement addressing disparate impact and unfair discrimination in the auto industry, and emphasized it is time for the FTC to use its rulemaking authority to establish protections for car buyers and honest auto dealers. Commissioner Slaughter agreed that there is a need for auto financing and sales market reform, and suggested that the FTC can begin by initiating a rulemaking under Dodd-Frank to regulate dealer markups.

    Federal Issues FTC Fair Lending FTC Act TILA ECOA Enforcement Settlement

  • New York AG announced proposed settlement with student debt relief companies

    State Issues

    On May 22, the New York attorney general (NYAG) announced a proposed settlement with three student loan debt relief companies and two of the companies’ executive officers (collectively, “defendants”), resolving allegations that the defendants participated in a broader scheme that fraudulently, deceptively, and illegally marketed, sold, and financed student debt relief services to consumers nationwide. As previously covered by InfoBytes, the September 2018 complaint alleged that a total of nine student loan debt relief companies, along with their financing company, and the two individuals violated several federal and state consumer protection statutes, including the Telemarketing Sales Rule, New York General Business Law, the state’s usury cap on interest rates, disclosure requirements under TILA, and the Federal Credit Repair Organization Act. Specifically, the NYAG asserted, among other things, that the defendants (i) sent direct mail solicitations to consumers that deceptively appeared to be from a governmental agency or an entity affiliated with a government agency; (ii) charged consumers over $1,000 for services that were available for free; (iii) requested upfront payments in violation of federal and state credit repair and debt relief laws; and (iv) charged usurious interest rates.

    If approved by the court, the proposed consent judgment would require the five defendants to pay $250,000 of a $5.5 million total judgment, due to their inability to pay. Additionally, the defendants are also permanently banned from advertising, marketing, promoting, offering for sale, or selling any type of debt relief product or service—or from assisting others in doing the same. Additionally, the defendants must request that any credit reporting agency to which the defendants reported consumer information in connection with the student loan debt relief services remove the information from those consumers’ credit files. The defendants also agreed not to sell, transfer, or benefit from the personal information collected from borrowers.

    The NYAG previously settled with two other defendants in February, covered by InfoBytes here.

    State Issues State Attorney General Courts Student Lending Debt Relief Usury Telemarketing Sales Rule TILA Credit Repair Organizations Act Settlement

  • Financial institutions, CRA reach settlement over 2017 data breach

    Courts

    On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”

    The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.

    Courts Settlement Privacy/Cyber Risk & Data Security MDL Data Breach Credit Reporting Agency

  • FTC settles with e-commerce telemarketers for $1.2 million

    Federal Issues

    On May 13, the FTC announced a $1.2 million settlement with a group of telemarketing companies and their owners (collectively, “defendants”) for an allegedly deceptive e-commerce scheme in violation of the FTC Act, the Telemarketing Sales Rule (TSR), and the Consumer Review Fairness Act (CRFA). According to the complaint filed in the U.S. District Court for the Western District of Washington, the defendants sold products and services to consumers trying to start at-home internet-based businesses, which the defendants claimed would “substantially increase the visibility of and drive customer traffic to consumers’ ecommerce websites on the Internet.” The defendants would allegedly obtain leads by using a service that produces leads of consumers who have recently registered websites. The defendants would contact the consumers by telephone to sell services and would typically continue to call consumers to “upsell” additional products. The FTC argues that “[c]ontrary to [d]efendants’ representations, many consumers who purchase [d]efendants’ products and services do not end up with a functional website, earn little or no money, and end up heavily in debt.” The complaint alleges that the defendants violated the FTC Act, the TSR, and the CRFA by, among other things, (i) making unsubstantiated and false earnings and product claims; (ii) making false claims about business affiliations; and (iii) using contract provisions that restrict consumers’ ability to review or complain about purchased products or services.

    The settlement with two of the entities and one owner includes a monetary judgment of over $16 million, which is partially suspended due to an inability to pay, and requires the defendants to surrender over $900,000. In separate settlements with the other two owners, large monetary judgments are also partially suspended due to an inability to pay, with one required to surrender over $100,000, and the other required to surrender over $200,000.

    Federal Issues FTC Act Enforcement Telemarketing Sales Rule Deceptive Settlement UDAP

  • $550 million preliminary settlement reached in biometric privacy class action

    Privacy, Cyber Risk & Data Security

    On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of Illinois users, would resolve consolidated class claims that alleged the social media company’s face scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). As previously covered by InfoBytes, last August the U.S. Court of Appeals for the 9th Circuit affirmed class certification and held that the class’s claims met the standing requirement described in Spokeo, Inc. v. Robins because the social media company’s alleged development of a face template that used facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. According to the motion for preliminary approval, the settlement would be the largest BIPA class action settlement ever and would provide “cash relief that far outstrips what class members typically receive in privacy settlements, even in cases in which substantial statutory damages are involved.” If approved, the social media company must also provide “forward-looking relief” to ensure it secures users’ informed, written consent as required under BIPA.

    Privacy/Cyber Risk & Data Security Courts Enforcement Consumer Protection Settlement Class Action State Issues

  • OFAC settles Cuban Assets Control Regulation violations

    Financial Crimes

    On May 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $257,862 settlement with an animal nutrition company for 44 alleged violations of the Cuban Assets Control Regulations (CACR). According to OFAC, between July 2012 and September 2017, the company and its owned or controlled foreign entities allegedly coordinated agricultural commodity sales to a Cuban company without OFAC authorization by processing Cuba-related business through its foreign affiliates and developing “a transaction structure that it incorrectly determined would be consistent with U.S. sanctions requirements.” OFAC noted that the company “could potentially have availed itself of such authorization” or applied for a specific licenses from OFAC, but “failed to seek appropriate advice or otherwise take the steps necessary to authorize these transactions.” OFAC determined that in light of the fact that the transactions may have been eligible for authorization, as well as the company’s voluntary self-disclosure, compliance enhancements, and other factors, the apparent violations constituted a non-egregious case.

    OFAC advised U.S. companies with a global presence to maintain an appropriate sanctions compliance program and to seek “appropriate advice and guidance” when contemplating business that may be impacted by U.S. sanctions programs. In addition, OFAC referenced enforcement and compliance resources and cautioned that sanctions violations can arise from a misinterpretation or lack of understanding of OFAC’s regulations, including general licenses and authorizations. OFAC advised U.S. persons to “exercise[e] caution when dealing with foreign subsidiaries or affiliates located in regions subject to U.S. sanctions programs” and to understand the full scope and applicability of authorizations related to certain sanctions prohibitions.

    Financial Crimes OFAC Department of Treasury Settlement Of Interest to Non-US Persons Sanctions Cuba

  • Student loan servicer settles public service loan relief suit

    Courts

    On April 24, a proposed class of borrowers and a national student loan servicer agreed to settle a lawsuit, which alleged the servicer failed to inform the borrowers of a loan forgiveness program for public service employees. The proposed settlement, which was granted final court approval in October, settles the one remaining deceptive acts and practices claim under a section of the New York General Business Law after the U.S. District Court for the Southern District of New York dismissed the rest of the borrowers’ claims last July. The court noted in its order that it did not agree with the servicer’s argument that the claims were preempted by the federal Higher Education Act (HEA), stating that the borrowers “do not seek to impose state law ‘disclosure requirements’ on federal student loans,” but instead “seek to hold [the servicer] liable for affirmative misrepresentations made in the course of performing its duties under various contracts.” According to the court’s order, language under the HEA “does not express the ‘clear and manifest purpose of Congress’ to preempt such claims.”

    While the servicer denies any allegations of wrongful conduct and damages, it has agreed to, among other things, put in place enhancements to identify borrowers who may qualify for Public Service Loan Forgiveness and “distribute comprehensive and accurate information about how to qualify, which are meaningful business practice enhancements.” The servicer will also fund a $2.25 million education and counseling program for student loan borrowers in public service.

    Courts Student Lending State Issues Student Loan Servicer Settlement

  • Court approves $5 billion FTC settlement with social media company

    Privacy, Cyber Risk & Data Security

    On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC. The settlement, first announced last July (covered by InfoBytes here), requires the company to take a series of remedial steps, including (i) ceasing misrepresentations concerning its collection and disclosure of users’ personal information, as well as its privacy and security measures; (ii) clearly disclosing when it will share data with third parties and obtaining user express consent if the sharing goes beyond a user’s privacy setting restrictions; (iii) deleting or de-identifying a user’s personal information within a reasonable time frame if an account is closed; (iv) creating a more robust privacy program with safeguards applicable to third parties with access to a user’s personal information; (v) creating a new privacy committee and designating a dedicated corporate officer in charge of monitoring the effectiveness of the privacy program; (vi) alerting the FTC when more than 500 users’ personal information has been compromised; and (vii) undertaking reporting and recordkeeping obligations, and commissioning regular, independent privacy assessments. The order “resolves all consumer-protection claims known by the FTC prior to June 12, 2019, that [the company], its officers, and directors violated Section 5 of the FTC Act.” While the court acknowledged concerns raised by several amici opposing the settlement, the court concluded that the settlement and the proposed remedies were reasonable and in the public interest. On April 28, the FTC announced the formal approval of amendments to its 2012 privacy order to incorporate updated provisions included in the 2019 settlement.

    Privacy/Cyber Risk & Data Security FTC Enforcement Consumer Protection Settlement

  • Multi-jurisdiction settlement reached with credit reporting agency over 2017 data breach

    Privacy, Cyber Risk & Data Security

    On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017 complaint (covered by InfoBytes here), the CRA ignored cybersecurity vulnerabilities for months before the breach occurred and failed to take measures to implement and maintain reasonable safeguards. Under the terms of the proposed settlement, pending final court approval, the CRA will pay Massachusetts $18.2 million and is required to take significant measures to strengthen its security practices to ensure compliance with Massachusetts law. These measures include (i) implementing a comprehensive information security program; (ii) minimizing the collection of sensitive personal information; (iii) managing and implementing specific technical safeguards and controls; (iv) providing consumer-related relief, such as credit monitoring services and security freezes; and (iv) allowing third-party assessments of its data safeguards.

    Earlier, on April 14, the Indiana attorney general also announced that the CRA will pay the state $19.5 million to resolve allegations that it failed to protect Indiana residents whose personal information was exposed in the 2017 data breach. Under the terms of the final judgment and consent decree, in addition to paying $19.5 million in restitution, the CRA must take measures similar to those outlined in the Massachusetts settlement.

    Massachusetts and Indiana were the only two states that chose not to participate in the 2017 multi-agency settlement that resolved federal and state investigations into the data breach and required the company to pay up to $700 million (covered by InfoBytes here).

    Separately, on April 7, the City of Chicago announced a $1.5 million settlement to resolve allegations that the CRA’s failure to employ adequate data-security measures led to the breach.

    Privacy/Cyber Risk & Data Security State Attorney General Data Breach State Issues Credit Reporting Agency Settlement Massachusetts Indiana

  • Rent-to-own payment plan company settles deceptive representation allegations with FTC

    Federal Issues

    On April 20, the FTC filed a complaint against a rent-to-own payment plan company for allegedly making false, misleading, and deceptive representations in violation of the FTC Act to consumers regarding the marketing, sale, and terms of their payment plans. In its complaint, the FTC alleged that while the company offered “same as cash” and “no interest” payment plans to consumers seeking to purchase items at retailers nationwide, it actually charged consumers substantially more than the item’s retail price. Accessing the actual terms of the payment plans was confusing for consumers, the FTC contended, and allegedly led to consumers frequently paying roughly twice the item’s sticker price if they made the initial and all scheduled recurring payments. According to the FTC, the company (i) received tens of thousands of consumer complaints; (ii) was aware consumers were confused by the terms of their payment plans; and (iii) had been presented with concerns from retailers regarding the company’s training materials, which, among other things, instructed sales associates to say “‘there actually isn’t an interest rate, because it’s not a loan.” Under the terms of the proposed settlement, the company is, among other things, (i) prohibited from misrepresenting the costs, nature, terms, and any other material facts related to its payment plans; (ii) required to clearly and conspicuously disclose the total cost to own a product when marketing its plans; (iii) ordered to monitor third parties, including retailers that offer the company’s payment plans to ensure compliance with the terms of the settlement; and (iv) required to receive express, informed consent from consumers prior to billing them for a plan. The company is also required to pay $175 million in equitable monetary relief.

    Federal Issues FTC Enforcement Consumer Protection FTC Act UDAP Deceptive Settlement

Pages

Upcoming Events