InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Internet provider and states agree to nearly $12.5 million for false advertising, hidden fees
On December 19, the Colorado attorney general announced that an internet service provider (ISP) agreed to pay nearly $8.5 million in order to resolve allegations that it “unfairly and deceptively charg[ed] hidden fees, falsely advertis[ed] guaranteed locked prices, and fail[ed] to provide discounts and refunds it promised” to Colorado consumers in violation of the Colorado Consumer Protection Act. According to the announcement, in 2017 the AG’s office investigated the ISP and compiled information that the ISP had “systematically and deceptively overcharged consumers for services” since 2014 (see the complaint filed by the AG here). In the settlement, the ISP agreed to an order that requires it, among other things, to (i) refrain from making false and misleading statements to consumers in the marketing, advertising and sale of its products and services; (ii) accurately communicate monthly base charges as well as one-time fees, taxes, and other fees and surcharges to consumers; (iii) disclose any “internet cost recovery fee” or “broadband recovery fee” to consumers being charged the fees and allow the affected consumers to switch to different services if they wish to avoid the fees; (iv) refrain from charging an “internet or broadband cost recovery fee” on new orders; and (v) provide refunds to customers who were overcharged for services and to those customers who did not previously receive discounts that the ISP promised.
In a separate action, on December 31, the Oregon attorney general’s office announced that it entered into a $4 million Assurance of Voluntary Compliance with the same ISP to resolve similar claims of deceptive acts and practices in the advertising, sale, and billing of the ISP’s internet, telephone and cable services in violation of the Oregon Unlawful Trade Practices Act. According to the announcement, the Oregon DOJ started an investigation of the ISP in 2014 for allegedly “misrepresenting the price of services, failing to inform consumers of terms and conditions that could affect the price, and billing consumers for services they never received.” The ISP agreed to requirements that are very similar to those in the Colorado settlement. The announcement notes that the “Oregon DOJ will continue to lead a separate securities class action lawsuit arising from the same conduct.”
Bank and Philadelphia reach $10 million settlement in redlining suit
On December 16, a national bank and the city of Philadelphia agreed to a $10 million settlement in a fair lending suit filed against a national bank in 2017 in the U.S. District Court for the Eastern District of Pennsylvania. The settlement resolves claims against the bank alleging violations of the Fair Housing Act, as previously covered in InfoBytes. Specifically, the city alleged that the bank engaged in discriminatory mortgage lending practices by placing minority borrowers in loans with less favorable terms than loans to similar non-minority borrowers. According to the complaint, these allegedly discriminatory loans increased foreclosure rates and resulted in falling property values, particularly in minority and low-income neighborhoods in Philadelphia. The empty properties and lower property values in turn reduced tax revenues and increased costs to the city to pay for municipal services including police, fire fighting, housing programs, and also maintenance for the growing number of empty properties. The court had previously denied the bank’s motion to dismiss, (prior InfoBytes coverage here), which argued, among other things, that the city had failed to show that the bank’s alleged lending practices were the proximate cause of the city’s harm.
Pennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.
Payday lenders’ $12 million settlement approved
On December 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a $12 million settlement to resolve allegations including unjust enrichment, usury, and violations of RICO against tribe-related lenders (lenders) that plaintiffs claim charged extremely high interest rates on consumer payday loans. According to the memorandum in support of the settlement, one lender’s “operation constituted a “rent-a-tribe,” where it originated high-interest loans through entities formed under tribal law in an attempt to evade state and federal laws.” The parties filed a preliminary settlement agreement in June. According to the approval order, the court found that “the settlement agreement is fair, adequate and reasonable,” reaffirmed certification of a final settlement class, and additionally found that “the class representatives have and continue to adequately represent settlement class members.” This settlement ends three separate putative class actions against the lenders.
Broker to pay nearly $4 million to settle ADR mishandling claims
On December 9, the SEC announced a settlement with a broker to resolve allegations concerning the improper handling of pre-released American Depositary Receipts (ADRs), or “U.S. securities that represent foreign shares of a foreign company.” The SEC noted in its press release that ADRs can be pre-released without the deposit of foreign shares only if: (i) the brokers receiving the ADRs have an agreement with a depository bank; and (ii) the broker or the broker's customer owns the number of foreign shares that corresponds to the number of shares the ADR represents. According to the SEC’s order, the broker improperly borrowed pre-released ADRs from other brokers that it should have known did not own the foreign shares necessary to support the ADRs. The SEC also found that the broker failed to implement policies and procedures to reasonably detect whether its securities lending desk personnel were engaging in such transactions. The broker neither admitted nor denied the SEC’s allegations, but agreed to pay more than $2.2 million in disgorgement, roughly $468,000 in prejudgment interest, and a $1.25 million penalty. The SEC’s order acknowledged the broker’s cooperation in the investigation and that the broker had entered into tolling agreements.
CFPB settles with two military loan companies
On November 25, the CFPB announced a settlement with two companies that originated and serviced travel-related loans for military servicemembers and their families. According to the consent order with the lender and its principal, the lender (i) charged fees to customers who obtained financing, at a higher rate than those customers who paid in full, but failed to include the fee in the finance charge or APR; (ii) falsely quoted low monthly interest rates to customers over the phone; and (iii) failed to provide the required information about the terms of credit and the total of payments in violation of TILA and the TSR. The consent order prohibits future lending targeted to military consumers and requires the lender and its principal to pay a civil money penalty of $1. The order also imposes a suspended judgment of almost $3.5 million, based on an inability to pay.
In its consent order against the servicer, the Bureau asserts the servicer engaged in deceptive practices by overcharging servicemembers for debt-cancellation products and, in violation of the FCRA’s implementing Regulation V, never established or maintained written policies and procedures regarding the accuracy of information furnished to credit reporting agencies. The consent order issues injunctive relief and requires the servicer to (i) pay a $25,000 civil money penalty; (ii) provide redress to consumers who were allegedly overcharged for the debt-cancellation product; (iii) pay over $54,000 in restitution to borrowers with no outstanding balance on their loans and issue additional account credits to borrowers with outstanding balances; and (iv) establish reasonable policies and procedures for accurate reporting to consumer reporting agencies.
CFPB reaches $8.5 million settlement with background screening company
On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.
Washington AG settles deceptive practices allegations with office supply company
On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)
FTC settles with technology service provider on data security issues
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
CFPB argues private class action settlement interferes with its CFPA enforcement authority
On November 6, the CFPB filed an amicus brief with the Court of Appeals of Maryland in a case challenging a private class action settlement against a structured settlement company, which purports to “release the Bureau’s claims in a pending federal action, to enjoin class members from receiving benefits from the Bureau’s lawsuit, and to assign any benefits the Bureau might obtain for class members to the class-action defendants.” As previously covered by InfoBytes, in 2017, the U.S. District Court for the District of Maryland allowed a UDAAP claim brought by the CFPB to move forward against the same structured settlement company, where the Bureau alleged the company employed abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. A similar action was also brought by the Maryland attorney general against the company. In addition to the state and federal enforcement actions, the plaintiffs filed a private class action against the company, and a trial court approved a settlement. The Court of Special Appeals reversed the lower court’s approval of the settlement, concluding that it “interferes with the [state’s] and Bureau’s enforcement authority.” The company appealed.
In its brief to the Maryland Court of Appeals, the Bureau argues that the Court of Special Appeals decision should be affirmed because the settlement provisions “threaten to interfere with the Bureau’s authority under the [Consumer Financial Protection Act] in two significant ways.” Specifically, the Bureau argues that the settlement (i) could interfere with the Bureau’s statutory mandate to remediate consumers harmed through the Civil Penalty Fund; and (ii) would interfere with the Bureau’s authority to use restitution to remediate consumer harm. The Bureau states that “the risk of windfalls to such wrongdoers could force the Bureau to decline to award Fund payments to victims,” and would “threaten to offend basic principles of equity.”