Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court preliminarily approves $90 million settlement in data tracking suit


    On March 31, the U.S. District Court for the Northern District of California preliminarily approved a $90 million class action settlement resolving claims that a social media platform unlawfully tracked consumers’ browsing data. According to the settlement agreement, the defendant obtained and collected data from approximately 124 million platform users in the U.S. who visited websites that displayed the defendant’s “Like” button between April 22, 2010 and September 26, 2011. If the settlement is granted final approval, in addition to paying a $90 million settlement, the company will be required to delete the data it had collected from users during the class period.

    Courts Privacy/Cyber Risk & Data Security Class Action California Settlement

    Share page with AddThis
  • OFAC reaches $78,750 settlement with financial analytics company

    Financial Crimes

    On April 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a roughly $78,750 settlement with a financial analytics company for allegedly processing transactions in violation of Ukraine-Related Sanctions Regulations. According to OFAC’s web notice, in August 2016, the company (which had been recently acquired) reissued and re-dated an August 2015 invoice with a new date that was 374 days after the invoice for the debt was originally issued. After a partial payment, the company reissued the original August 2015 invoice creating two “new” invoices each reflecting half of the remaining balance and dated November 2016, both with payment due upon receipt. After another partial payment, the company reissued a fourth invoice with the remaining debt in September 2017, again altering the date. OFAC concluded that the company violated the Ukraine-Related Sanctions Regulations “by dealing in new debt of longer than 90 days maturity when [it] extended the payment date of its invoices.”

    In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that (i) the company “failed to exercise a minimal degree of caution or care when it reissued and re-dated four invoices to extend the payment date of invoices far beyond the authorized debt tenor, knowing or having reason to know such conduct would violate U.S. sanctions regulations”; (ii) the company’s staff “were aware of and involved in the conduct giving rise to the Apparent Violations”; and (iii) the company “was a commercially sophisticated entity and considered a leader in global energy market analysis, with over 500 customers in 60 countries.” OFAC also considered various mitigating factors, including, among other things, that the company (i) has not received a penalty notice from OFAC in the preceding five years; (ii) “took remedial measures by enhancing their compliance program to better ensure compliance with OFAC sanctions, creating more robust training, adding periodic testing to invoices involving SSI List entities, and adding additional staff to manage sanctions issues”; and (iii) cooperated during the investigation.

    Providing context for the settlement, OFAC stated that this “case underscores the importance of careful adherence to OFAC regulations, including in cases where counterparties may make compliance challenging.”

    Financial Crimes Department of Treasury Of Interest to Non-US Persons OFAC Settlement Enforcement OFAC Designations OFAC Sanctions Ukraine

    Share page with AddThis
  • Social networking apps settle minors' data claims for $1.1 million

    Privacy, Cyber Risk & Data Security

    On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally identifiable information and/or viewing data of children under the age of 13,’ ‘without parental consent’” in violation of federal and California privacy law. Specifically, plaintiffs asserted violations of the Video Privacy Protection Act (VPPA), the California constitutional right to privacy, the California Consumers Legal Remedies Act (CLRA), and the Illinois Consumer Fraud and Deceptive Businesses Practices Act. Defendants countered that plaintiffs’ state-law claims were preempted by the Children’s Online Privacy Protection Act, and that, furthermore, the “alleged conduct is not within the scope of VPPA or the cited state consumer protection laws” and “does not amount to a common law invasion of privacy or a violation of Plaintiffs’ rights under the California Constitution.” Moreover, defendants argued that plaintiffs could not recover actual damages. According to plaintiffs’ supplemental motion for final approval, following months-long negotiations, the parties agreed to settle the action on a class-wide basis.

    The settlement requires defendants to pay $1.1 million into a non-reversionary settlement fund, to be dispersed pro rata to class members (anyone in the U.S. who, prior to the settlement’s effective date and while under the age of 13, registered for or used the apps) who submit a valid claim after the payment of settlement administration expenses, taxes, fees, and service awards. The court’s order, however, declined to award an objector’s counsel any attorneys’ fees for his efforts to negotiate modified relief because the agreement was negotiated in a separate proceeding in related multidistrict litigation. The court also denied plaintiffs’ motion for sanctions against the objector’s law firm.

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action State Issues Illinois California COPPA

    Share page with AddThis
  • District Court approves $50 million class action settlement over recorded calls


    On Auguts 4, the U.S. District Court for the Northern District of Illinois approved a class action settlement, resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated the California Invasion of Privacy Act (CIPA) by recording calls without receiving customers’ permission. According to the plaintiff’s motion for preliminary approval, a lawsuit was filed in 2016 on behalf of a proposed class of small businesses in California who received calls from call center companies attempting to sell credit and debit card payment processing services, alleging, among other things, that the defendants were in a principal-agent relationship with the companies that violated the CIPA by recording telemarketing calls without any warning that the recording was occurring. As previously covered by InfoBytes, class members, comprising California businesses who did not sign a contract for merchant processing services with the servicer, filed suit against another national bank in 2016 claiming the call center placed sales appointment calls to the businesses without disclosing that the calls were being recorded. The preliminarily approved settlement in that case required the defendants to pay $28 million, of which up to $5,000 was paid for each eligible call that a class member received during the class period, which was estimated to be 192,836 individuals. The recent preliminarily approved settlement will require the defendants to pay $50 million, of which up to $5,000 will be paid for each eligible call that a class member received during the class period.

    Courts Settlement Class Action State Issues California Consumer Finance

    Share page with AddThis
  • District Court enters $2.8 million judgment in CFPB student debt relief action


    On March 22, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against one of the defendants in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the Federal Debt Collection Procedures Act and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants and a settlement with two non-parties (covered by InfoBytes here, here, here, here, and here).

    The final judgment issued against the settling defendant, who neither admitted nor denied the allegations except as specifically stated, permanently bans the defendant from participating in telemarking services or offering or selling debt-relief services, and prohibits it from misrepresenting benefits consumers may receive from a product or service. The defendant is also permanently restrained from violating applicable state laws, and may not disclose, use, or benefit from customer information obtained in connection with the offering or providing of the debt relief services. The settlement orders the defendant to pay more than $2.8 million in consumer redress, as well as a $1 civil money penalty to the Bureau and $5,000 to each of the three states.

    Courts CFPB Enforcement State Attorney General State Issues CFPA UDAAP Telemarketing Sales Rule FDCPA Student Lending Debt Relief Consumer Finance Settlement

    Share page with AddThis
  • District Court grants preliminary approval in data breach case


    On March 21, the U.S. District Court for the Eastern District of Texas granted preliminary approval of a settlement in a class action resolving claims that a software company and its subsidiary (collectively, “defendants”) failed to properly safeguard customers' personally identifiable information (PII). According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiffs filed suit after a data breach of the defendant’s systems, alleging that defendant violated numerous states’ privacy and other laws by failing to keep their PII confidential and securely maintained. According to the plaintiffs’ motion for preliminary approval, the settlement (if granted final approval) would establish a settlement class of approximately 4,341,523 members whose PII was potentially compromised by the breach. The settlement would provide $2,000 for each named plaintiff and reimbursement of up to $5,000 of out-of-pocket expenses per class member, including up to eight hours of lost time at $25 per hour and 12 months of financial fraud protection. Additionally, more funds will be given to the California subclass, comprised of 318,091 individuals, who will receive between $100 and $300 in relief each. The defendants will also be required to pay attorneys’ fees and litigation costs and expenses.

    Courts Class Action Data Breach Privacy/Cyber Risk & Data Security Settlement

    Share page with AddThis
  • Colorado reaches agreements with credit unions over unused GAP fees violations

    State Issues

    Recently, the Colorado attorney general announced three separate settlements (see here, here, and here) with three credit unions resolving allegations that they neglected to refund unearned Guaranteed Automobile Protection (GAP) fees to Colorado consumers. The administrator of the Uniform Consumer Credit Code (UCCC), who is part of the Consumer Protection Division of the Department of Law and who led this investigation, concluded that the credit unions engaged in unfair and deceptive trade practices under the Colorado Consumer Protection Act by failing to provide GAP refunds automatically without waiting for a request from the consumer. Under the terms of the assurances of discontinuance, the credit unions have agreed to comply with all legal obligations and issue refunds to affected borrowers, and: (i) must comply with the UCCC rule’s GAP refund requirements; (ii) are subjected to an audit to verify the accuracy of their self-audits; and (iii) must send a confirmation letter pre-approved by the administrator to each consumer to whom a GAP refund was paid because of the self-audits. The AG noted that the “settlements are part of our office’s efforts to ensure lending institutions follow Colorado law and do not cheat hardworking consumers out of money they are entitled to under their lending and coverage agreements.”

    State Issues Colorado GAP Fees State Attorney General Enforcement Settlement Credit Union Consumer Finance

    Share page with AddThis
  • District Court approves $17 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.

    Privacy/Cyber Risk & Data Security Courts Settlement Data Breach State Issues CCPA California

    Share page with AddThis
  • DOJ resolves SCRA violations with credit union

    Federal Issues

    On March 11, the DOJ announced a settlement with a credit union resolving allegations that the credit union violated the Servicemembers Civil Relief Act (SCRA) by charging excessive interest on servicemembers’ loans and repossessing servicemembers’ cars without first obtaining a court order. According to the DOJ’s complaint, which was filed concurrently with the proposed settlement, the credit union allegedly charged interest exceeding 6 percent to 21 servicemembers who qualified for SCRA interest rate benefits. Under the SCRA, creditors are required to reduce the interest rate on retail installment sales contracts to 6 percent in certain circumstances. However, the DOJ asserted that in at least one instance, a servicemember was told that “reducing the interest rate would increase her monthly payment.” The DOJ also alleged that the credit union repossessed three servicemembers’ vehicles without court orders, including one instance where the vehicle was repossessed from a military base.

    The consent order, which is pending court approval, requires the credit union to pay nearly $70,000 to the affected servicemembers, along with a $40,000 civil penalty. The credit union is also, among other things, prohibited from (i) charging interest rate exceeding 6 percent during a period of military service; (ii) reamortizing any retail installment sales contracts connected to a request for SCRA interest rate benefits; (iii) “failing or refusing to credit early alert periods of military service when applying such benefits”; and (iv) repossessing SCRA-protected servicemembers’ vehicles without first obtaining a court order or valid SCRA waiver. The settlement also requires the credit union to review and update its SCRA policies and procedures to prevent future violations and to provide SCRA compliance training to its employees.

    Federal Issues DOJ SCRA Servicemembers Enforcement Auto Finance Settlement Consumer Finance

    Share page with AddThis
  • FTC fines payment processor $2.3 million for helping online discount clubs bilk consumers

    Federal Issues

    On March 10, the FTC reached a settlement with a payment processing company and two senior officers (collectively, “defendants”) whereby the company would pay $2.3 million in restitution as part of their role in allegedly helping the operators of a group of marketing entities enroll consumers into online discount clubs and debit more than $40 million from consumers’ bank accounts for membership without their authorization. As previously covered by InfoBytes, the FTC’s 2017 complaint claimed that the online discount clubs claimed to offer services to consumers in need of payday, cash advance, or installment loans, but instead enrolled consumers in a coupon service that charged initial fees ranging from $49.89 to $99.49, as well as monthly recurring fees of up to $19.95. However, the FTC’s complaint stated that “99.5 percent of the consumers being illegally charged for the ‘discount clubs’ never accessed any coupons, and that tens of thousands called the defendants to try and cancel the charges, while thousands more disputed the charges directly with their banks.” The FTC accused the defendants of providing “substantial assistance or support” in the way of payment processing services while “knowing or consciously avoiding knowing” that the actions being supported were in violation of the Telemarketing Sales Rule (TSR). The FTC further detailed how defendants ignored several indications of fraudulent activity, including the consistently high return rates generated by the discount club transactions and that a primary client of their services had already been the subject of previous FTC enforcement actions for engaging in similar conduct.

    Under the terms of the settlement, which is pending court approval, the defendants are banned from, among other things, (i) processing remotely created payment orders; (ii) processing payments on behalf of clients whose business involves outbound telemarketing, discount clubs, or offers to help consumers with payday loans; (iii) processing payments on behalf of any client that the defendants know or should know is engaging in deceptive or unfair acts or practices or violating the TSR; and (iv) processing payments for any existing or prospective clients without first conducting a reasonable screening to ensure clients are not violating federal law.

    Federal Issues FTC Enforcement Payment Processors TSR FTC Act Consumer Finance Settlement

    Share page with AddThis