InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia AG Announces Settlement With Internet Lender Over Licensing Claims and Origination Fees
On November 30, Virginia Attorney General Mark R. Herring announced a settlement with a Chicago-based “open-end credit plan internet lender” to resolve alleged violations of the Virginia Consumer Protection Act (VCPA). Specifically, the Attorney General’s Office alleged that the lender misrepresented that it was licensed to conduct lending activity in Virginia and charged unlawful origination fees during a statutorily required grace period. According to a press release issued by the Attorney General’s office, the settlement requires the lender to provide more than $3 million of refunds and interest forgiveness to borrowers, and pay the state $30,000 in civil money penalties, costs, and fees. The settlement also contains a permanent injunction that prohibits the lender from misrepresenting its status as a licensed Virginia lender and violating the VCPA.
Fed Fines Kansas State Bank for Alleged Deceptive Mortgage Acts
On November 28, the Federal Reserve Board (Fed) announced it had entered into a consent order with a Kansas state bank over allegations that the bank engaged in deceptive mortgage origination practices in violation of the FTC Act. Specifically, the order alleges that the bank told borrowers that they were paying for discount points that would lower their interest rate, but did not in fact provide those borrowers an interest rate reflective of the price paid for the discount points or, in some cases, a reduced rate at all. The Fed’s order requires the bank to pay restitution to the affected borrowers, but did not impose a further civil money penalty. The bank has decided to terminate all operations of its national mortgage business by year-end 2017.
FTC Announces Final Approval of Settlements With Companies Over EU-U.S. Privacy Shield False Certification Claims
On November 29, the FTC announced it had approved final settlements with three companies over allegations that they falsely claimed participation in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. (See previous InfoBytes coverage here.) The settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions following the EU’s finalization and adoption in July 2016 (as covered by InfoBytes) of the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.
Ride-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations
On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. The company claimed that hackers did not obtain driver or passenger social security, credit card, bank account, birth date, or trip location information. Though the company stated that it has taken action to address the delay in notifying affected individuals and regulators, lawsuits filed by the State of Washington and the City of Chicago claim that the company capitulated to hackers’ demands and “paid the hackers to delete the consumer data and keep quiet about the breach.”
According to a letter from the company to the Washington attorney general attached to the state’s complaint, the company “is taking personnel actions with respect to some of those involved in the handling of the incident.” The company further stated that it has “implemented and will implement further technical security measures, including improvements related to both access controls and encryption.”
According to sources, three separate class action lawsuits have been filed against the company as a result of the 2016 breach (see here, here, and here) and five attorneys general (New York, Illinois, Connecticut, Massachusetts, and Missouri) have launched investigations.
The 2016 data breach follows a settlement in January of that year with the New York Attorney General related to allegations that the company failed to promptly disclose a 2014 data breach. The 2014 data breach involved an alleged failure to prevent unauthorized access to the company’s consumer and driver data maintained on a third-party cloud service provider. As previously reported in InfoBytes in August, the company reached a settlement with the FTC related to the 2014 data breach; however, that settlement was entered into before the company disclosed the existence of the 2016 breach.
In a related development, on November 27, the U.S. District Court for the Northern District of California dismissed without prejudice a putative class action lawsuit against the company related to the 2014 data breach. The court held that the driver’s name, license number, and limited banking information disclosed in the breach was not the type of personally identifiable information that could expose plaintiffs to the risk of identity theft. Accordingly, the court dismissed the case for lack of Article III standing. The court also granted plaintiffs a final opportunity to amend their complaint to address the standing deficiencies.
OFAC Penalizes Credit Card Issuer for Violations of Cuban Assets Control Regulations
On November 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced that it had reached a $204,277 settlement with a U.S. financial institution for alleged violations of the Cuban Assets Control Regulations (CACR). The settlement involves actions taken by an international credit card company which, at the time of the apparent violations, was a wholly owned subsidiary of an entity that was itself 50 percent owned by the U.S. financial institution. According to the announcement, between 2009 and 2014, credit cards that the company issued to over 100 corporate customers were used to make purchases in Cuba or otherwise involved Cuba. OFAC asserts that the company failed to implement controls to prevent this even though it had policies and procedures in place to review transactions for compliance with CACR.
In determining the settlement amount, OFAC considered that (i) employees within the company had reason to know of the conduct that led to the alleged violations; (ii) none of the entities involved appeared to appreciate the risk that the credit cards might be used in Cuba; (iii) at the time they occurred, the actions resulted in harm to the US sanctions program objectives; (iv) the U.S. financial institution is a large and sophisticated financial entity; and (v) during the investigation, the entities provided “verifiably inaccurate or incomplete, including material omissions.” OFAC also considered the fact that the entities voluntarily self-disclosed the alleged violations and the U.S. financial institution took “swift and appropriate remedial action” upon discovery.
OFAC recently announced updates to CACR, covered by InfoBytes here.
DOJ Announces $5.4 Million in Additional Relief for Servicemembers Impacted by Bank’s Alleged SCRA Violations
On November 14, the DOJ announced it had secured an additional $5.4 million from a major U.S. bank related to a September 2016 settlement (previously covered by InfoBytes) resolving allegations that between January 2008 and July 2015 the bank repossessed vehicles owned by active duty servicemembers without required court orders in violation of the Servicemembers Civil Relief Act. The original consent order with the DOJ required the bank to pay $10,000, plus lost equity, to each of the 413 affected servicemembers whose cars were found to be unlawfully seized and further stipulated the bank could be required to compensate additional servicemembers. Since entering into the 2016 settlement with the DOJ, the bank announced it had uncovered another 450 qualifying servicemembers, bringing the combined affected total to 863, with compensatory payouts of more than $10 million.
OFAC Announces Cuban Assets Control Regulations Updates; Releases New FAQs
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced amendments to the Cuban Assets Control Regulations to implement changes related to certain financial transaction restrictions and economic activities. In accordance with the National Security Presidential Memorandum issued by President Trump on June 16, the amendments will, among other things, prohibit “persons subject to U.S. jurisdictions” from engaging in financial transactions with entities and subentities identified on the State Department’s Cuba Restricted List. This effort is intended to “channel economic activities away from the Cuban military, intelligence, and security services, while maintaining opportunities for Americans to engage in authorized travel to Cuba and support the private, small business sector in Cuba.” The amendments will take effect November 9. OFAC also released updated FAQs and a fact sheet to answer questions related to the amended regulations.
Refer here, here, and here for InfoBytes coverage on OFAC settlements of alleged violations of the Cuban Assets Control Regulations.
FTC Fines California Auto Dealer for Violating Order About Disclosures
On November 6, the FTC announced a settlement of $1.4 million with a Southern California auto dealership for violating a 2014 administrative order (Order). The Order prohibited the dealership from misrepresenting the cost to finance or lease a vehicle. In issuing the Order, the FTC alleged that the dealership had violated the FTC Act by using advertisements that deceptively stated a $0 up-front lease option while excluding other fees and costs, and also that the dealership’s advertisements violated disclosure requirements of the Consumer Leasing Act (CLA) and TILA.
The new settlement resolves a complaint in which the FTC alleged the auto dealership “routinely violated” the Order requiring the dealership to, among other things, (i) accurately represent costs and terms of financing or leasing vehicles; (ii) conform its advertisements to the requirements of the CLA and TILA; and (iv) maintain necessary records and make those records available to the agency. In addition to the monetary penalty and the prohibition of similar practices, the settlement also subjects the dealership to strong compliance and reporting requirements.
Federal Reserve Board Issues Consent Order for the Alleged Deceptive Marketing of Balance Transfer Credit Cards
On October 26, the Federal Reserve Board (Fed) announced it had entered into a consent order with Mid America Bank & Trust Company (Mid America) over allegations that the bank engaged in deceptive practices in violation of the FTC Act involving balance transfer credit cards issued to consumers through third party independent service organizations. On the same day, the Fed announced its approval of an application by Reliable Community Bankshares, Inc. to acquire Mid America’s holding company, Mid America Banking Corporation. The allegations pertain to the adequacy of marketing materials, disclosures and other customer communications that described certain terms of the balance transfer cards such as credit reporting, available credit, and application of the statute of limitations to transferred balances. The Fed’s order requires the bank to refund certain fees, account balances and payments to its cardholders and other non-monetary actions, including compliance program enhancements. The order did not impose a civil money penalty.
Illinois AG and FTC Reach $9 Million Settlement With Phantom Debt Collector
On October 31, Illinois Attorney General Lisa Madigan and the Federal Trade Commission (FTC) announced settlements with three operators of a fake debt collection scheme in Chicago. According to the Attorney General’s office, the three individuals and associated companies identified people who had recently applied for or received a short-term loan and then posed as a law firm to collect on the debt. The companies also sold fictitious loan debt portfolios to other debt buyers, who then attempted to collect on the fake debts. The settlements require the operators to surrender at least $9 million in assets (which will be used to refund impacted consumers) and, among other things, ban them from the debt collection business and from selling debt portfolios.