InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ settles with Alabama housing authority on discrimination allegations
On December 15, the DOJ announced the approval of a consent decree by the U.S. District Court for the Northern District of Alabama, which resolves a Fair Housing Act lawsuit against an Alabama public housing authority, as well as several related parties, accused of engaging in racial steering. According to the DOJ, the defendants allegedly maintained largely segregated housing and steered Black applicants away from several overwhelmingly white housing communities to two predominantly Black housing communities. In the DOJ’s investigation, tenants and residents reportedly highlighted “the deep psychological stigma and harm suffered by hundreds of Black families who have lived in segregated housing for generations.” Under the consent decree, the defendants must pay $275,000 in damages to 23 current or former tenants who were allegedly harmed by the race discrimination, as well as a $10,000 civil money penalty. Among other requirements, the defendants must (i) implement policies and procedures to remedy the alleged segregation and to ensure applicants are not offered housing community units based on their race or color; (ii) undergo fair housing training; and (iii) periodically submit compliance reports to the DOJ.
District Court approves $4.24 million overdraft settlement
On December 9, the U.S. District Court for the Southern District of Florida granted final approval to a $4.24 million class action settlement resolving allegations related to a defendant bank’s overdraft fee practices. Plaintiff alleged breach of contract claims related to the defendant’s practice of charging overdraft fees on checks and automated clearing house transactions that were paid by the defendant despite customer accounts having insufficient funds. The overdraft fees were allegedly charged after the transaction was resubmitted by a merchant or third party after having previously been returned unpaid by the defendant for insufficient funds. The parties reached a settlement in which the defendant will pay $4.24 million into a settlement fund to provide relief to class members (defined as all current and former consumer checking account holders who were charged at least one retry overdraft fee). The settlement also include $1.4 million in attorneys’ fees. A service award for the class representative was denied, however, with the court explaining that the law in its circuit makes “clear that incentive awards ‘that compensate a class representative for [her] time and rewards her for bringing a lawsuit’ are prohibited.”
Hair clinic must pay $500,000 to resolve data breach
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.
OFAC settles with virtual currency exchange to resolve IP address screening deficiencies
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $362,158 settlement with a global virtual currency exchange for allegedly exporting services to users who appeared to be located in Iran when they engaged in virtual currency transactions on the exchange’s platform. According to OFAC’s web notice, the exchange’s platform allows users to buy, sell, hold, or exchange cryptocurrencies. Users can also trade fiat currency for cryptocurrency on the platform. The exchange’s anti-money laundering and sanctions compliance program screens customers at onboarding and daily thereafter, and reviews information about IP addresses generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts and conducting transactions. OFAC stated, however, that between October 2015 and June 2019, the exchange allegedly processed 826 transactions totaling roughly $1.6 million on behalf of individuals who appeared to be in Iran when the transactions happened. OFAC maintained that because the exchange failed to implement IP address blocking on transactional activity across its platform, “account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.” As a result, the exchange allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC determined that the exchange failed to exercise due caution or care for its sanctions compliance obligations by only applying its geolocation controls at the time of onboarding and not with respect to subsequent transactional activity even though it knew customers were located worldwide.
OFAC also considered various mitigating factors, including that the exchange has not received a penalty notice from OFAC in the preceding five years, the exchange voluntarily self-disclosed the alleged violations and undertook significant remedial measures, such as (i) “adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts” on the exchange’s platform; (ii) implementing blockchain analysis tools to assist with sanctions monitoring; (iii) expanding staff and providing compliance training; (iv) adding “additional screening capabilities to ensure compliance with OFAC’s ‘50 Percent Rule,’ including detailed reports on beneficial ownership; (v) contracting a vendor to assist with the identification and nationality verification through the use of artificial intelligence tools; and (vi) implementing automated controls designed to block certain accounts. In addition, the exchange agreed to invest an additional $100,000 in certain sanctions compliance controls as part of the settlement.
Providing context for the settlement, OFAC stated that this action “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions”—both at the time of onboarding and throughout the lifetime of the account.
Tech company to pay $391.5 million to resolve data tracking allegations
On November 10, forty states and a multinational technology company reached a $391.5 million settlement resolving allegations that the company tracked users’ locations even after they believed the feature was turned off. According to the assurance of voluntary compliance, the company allegedly misrepresented and omitted, among other things, material information regarding the location history and web and app activity settings, which “confused users about how location information would be captured, stored, and used without users’ knowledge or consent.” Additionally, the company allegedly used deceptive and unfair practices in a setting “that purports to allow users to opt out of personalized advertising and allows users to ‘control’ [the company’s] use of their location information.” The company agreed to, among other things: (i) “issue a pop-up notification to users who have location history or web & app activity enabled at the time of the notification”; (ii) “send an email to users who have location history or web & app activity enabled at the time of the notification”; and (iii) design and present a location technologies page “in a clear and conspicuous disclosure.”
District Court approves payday settlement
On November 10, the U.S. District Court for the Southern District of Mississippi issued a final settlement order resolving allegations that a Mississippi-based payday lender violated the CFPA in connection with check cashing services and small dollar loans. As previously covered by InfoBytes, the CFPB filed a complaint against two Mississippi-based payday loan and check cashing companies for allegedly violating the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices.
In March 2018, a district court denied the payday lenders’ motion for judgment on the pleadings, rejecting the argument that the Bureau's structure unconstitutional and that the agency’s claims violate due process. The U.S. Court of Appeals for the Fifth Circuit agreed to hear an interlocutory appeal on the constitutionality question, and, prior to the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB, a divided panel held that the CFPB’s single-director structure is constitutional, finding no constitutional defect with allowing the director of the Bureau to only be fired for cause (covered by InfoBytes here). The order noted that the 5th Circuit voted sua sponte to rehear the case en banc and issued an opinion in which the majority vacated the district court’s opinion as contrary to Seila Law. The majority did not, however, direct the district court to enter judgment against the Bureau because, though the Supreme Court had found that the director’s for-cause removal provision was unconstitutional, it was severable from the statute establishing the Bureau (covered by a Buckley Special Alert). The majority determined that the “time has arrived for the district court to proceed” and stated it “place[s] no limitation on the matters that that court may consider, including, without limitation, any other constitutional challenges.”
According to the settlement, the owner and president of the company must pay a civil money penalty of $899,350 to the Bureau “by reason of the [UDAAP violations] alleged in the Complaint.” However, the order further noted that the amount is remitted by $889,350 because he paid “that amount in fines to the Mississippi Department of Banking and Consumer Finance.” The district court also entered a separate order dismissing the lawsuit with prejudice.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
Mortgage servicer must pay $4.5 million in payment service fee suit
On November 7, the U.S. District Court for the Southern District of West Virginia granted final approval of a class action settlement, resolving allegations that a defendant mortgage servicer charged improper fees for optional payment services in connection with mortgage payments made online or over the telephone. The plaintiffs' memorandum of law in support of its motion for final approval of the settlement alleges the defendant engaged in violations of the West Virginia Consumer Credit Protection Act, breach of contract, and unjust enrichment with respect to the fees. According to the memorandum, before deduction of attorneys’ fees and expenses, administrative costs, and any service award, the $4.5 million settlement fund represents approximately $216 per fee paid to the defendant by the putative class members. The court also approved $1.5 million in attorney’s fees, plus $4,519.20 in expenses, along with a $15,000 service award for the settlement class representative.
District Court approves $14 million wireless rates settlement
On November 8, the U.S. District Court for the Northern District of California granted final approval to a $14 million settlement resolving allegations that a telecommunications company made misleading claims regarding its administrative fees. According to the plaintiffs’ memorandum of points and authorities in support of motion for preliminary approval of class settlement, current and former wireless-service customers of the defendant (plaintiffs) with post-paid wireless service plans were charged an improper administrative fee. The plaintiffs alleged, generally, that the defendant’s representations and advertisements regarding the monthly price of its post-paid wireless service plans were misleading because the prices did not include the administrative fee, and that the defendant implemented and charged the administrative fee in a deceptive and unfair manner. According to the terms of the $14 million settlement agreement, $3.5 million of the award will cover attorney fees and costs, with additional funds allocated to cover litigation expenses.