Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 11, the FTC announced it was charging a student loan debt relief operation with violations of the FTC Act and the Telemarketing Sales Rule for allegedly engaging in deceptive practices when marketing and selling their debt relief services. The complaint alleges the operators of the scheme allegedly, among other things, (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. According to the FTC, the defendants allegedly collected more than $23 million from consumers, and when asked why their payments were not being applied to their loans, the defendants “informed consumers that their entire payments had been collected as ‘handling’ or ‘management’ fees.” On July 10, the U.S. District Court for the Central District of California issued a temporary restraining order and asset freeze at the FTC’s request. The FTC seeks a permanent injunction against the defendants to prevent future violations, as well as redress for injured consumers through “rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
On July 1, the FTC announced, together with the New York attorney general, a settlement with two New York-based phantom debt operations and their principals (collectively, “defendants”) resolving allegations that the operations bought, placed for collection, sold lists of, and collected on fake debts that consumers did not owe. As previously covered by InfoBytes, the June 2018 complaint alleged that the defendants ran a deceptive and abusive debt collection scheme in violation of the FTC Act, the FDCPA, and New York state law. The settlement order against one company and its owners bans the defendants from debt collection activities, including buying, placing for collection, and selling debt. The order requires the defendants to pay a combined $676,575, suspending the total judgment of $6.75 million, due to inability to pay. The settlement order against the other company and its owner prohibits the defendants from engaging in unlawful collection practices and requires the payment of $118,000, suspending the total judgment of $4.94 million, due to inability to pay.
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:
- Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.
- Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.
- Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.
- Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.
On June 24, the FTC finalized the “Free Electronic Credit Monitoring for Active Duty Military Rule,” which implements the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty military consumers. The proposed rule, issued in November 2018 (covered by InfoBytes here), defined the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify active duty military consumers within 24 hours of any material change. The proposal noted that CRAs may require that active duty military provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibited CRAs from requiring active duty military consumers to purchase a product in order to obtain the free service.
In response to comments on the proposal, the final rule refers to the definition of “active duty military consumer” in the FCRA, which requires that the servicemember be assigned to service away from their usual duty station, or be a member of the National Guard, regardless of whether the National Guard member is stationed away from their normal duty station. The FTC noted that commenters requested the requirement that the servicemember be stationed away from their normal duty station be eliminated but “the statutory language limit[ed] the Commission’s discretion on [the] topic.” However, the FCRA does not apply the same duty station requirement to the National Guard. Additionally, the final rule, among other things (i) requires CRAs to provide free access to a credit file when it notifies an active duty military consumer about a material change to the file; (ii) extends the amount of time the CRAs have to notify an active duty military consumer of a material change from 24 hours to 48 hours; and (iii) prohibits CRAs from requiring that active duty military consumers agree to terms or conditions as a requirement to obtain their free credit file, unless the terms or conditions are necessary to comply with certain legal requirements.
While the final rule goes into effect three months after publication in the Federal Register, CRAs will be allowed to comply with certain portions of the final rule by offering existing credit monitoring services to active duty military consumers for free, for a period of up to one year from the effective date.
On June 25, the FTC announced a major crackdown on illegal robocalls named “Operation Call it Quits,” which includes 94 enforcement actions from around the country brought by the FTC and 25 other federal, state, and local agencies. In addition to actions targeting the actors, the operation also includes a consumer education initiative and promotion of the development of technology-based solutions to block robocalls and fight caller ID spoofing. In addition to the 87 other enforcement actions brought under the initiatives, the FTC announced four new actions, some of which were filed by the DOJ on the FTC’s behalf, and three new settlements targeting robocallers for violations of the FTC Act and the Telemarketing Sales Rule (TSR), among other things. The FTC alleges many of the actors used illegal robocalls to contact financially distressed consumers regarding interest rate reductions, sell fraudulent money-making opportunities, pitch free medical alert systems, or develop leads for solar energy companies. The affected consumers in these actions were often listed on the Do Not Call Registry. The FTC provided a complete list of the 94 actions brought under Operation Call it Quits.
State Attorneys General participating in the initiative are: Alabama, Arizona, Colorado, Florida, Illinois, Indiana, Michigan, Missouri, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Texas, and Virginia. Additionally, local agencies include: the Consumer Protection Divisions of the District Attorneys for the Counties of Los Angeles, San Diego, Riverside, and Santa Clara, California; the Florida Department of Agriculture and Consumer Services; and the Los Angeles City Attorney.
On June 21, the FTC announced that the U.S. District Court for the District of Connecticut temporarily halted the operation of an alleged credit repair scheme based on allegations the company charged illegal upfront fees and falsely claimed to substantially improve consumers’ credit scores in violation of the FTC Act, the Credit Repair Organizations Act, the Telemarketing Sales Rule (TSR), the Consumer Review Fairness Act, TILA, and the EFTA. According to the complaint, since 2014, the company, among other things, (i) claims they can improve consumers’ credit scores by removing negative items and hard inquiries from credit reports; (ii) charges advance fees for their services; (iii) does not provide the required disclosures for its services, including credit transaction disclosures related to the financing of the service fees; (iv) engages in electronic funds transfers from consumers’ bank accounts without proper authorization; and (v) threatens consumers with legal action after consumers complain about the lack of results. The court order requires the company to temporarily cease its operations and ensures the company’s assets are frozen.
On June 17, the U.S. Court of Appeals for the 9th Circuit held that no showing of irreparable harm is required for the FTC to obtain injunctive relief when the relief is sought in conjunction with a statutory enforcement action where the applicable statute authorizes such relief. According to the opinion, the FTC brought an action against an entity and related individuals (collectively, “defendants”) operating a mortgage loan modification scheme for allegedly violating the FTC Act and Regulation O by making false promises to consumers for services designed to prevent foreclosures or reduce interest rates or monthly mortgage payments. (Previously covered by InfoBytes here.) The FTC brought the action under the second proviso of Section 13(b) of the FTC Act, which allows the agency to pursue injunctive relief without initiating administrative action. The district court granted the motion for preliminary injunction without requiring the FTC to make a showing of irreparable harm.
On appeal, the 9th Circuit rejected the defendants’ argument that the FTC was still required to demonstrate the likelihood of irreparable harm in a Section 13(b) action. The appellate court noted that the FTC’s position is supported by the court’s precedent, quoting “‘[w]here an injunction is authorized by statute, and the statutory conditions are satisfied . . ., the agency to whom the enforcement of the right has been entrusted is not required to show irreparable injury.’” The appellate court concluded that its precedent is not irreconcilable with the 2008 Supreme Court decision in Winter v. Natural Resource Defense Council, Inc, noting that Winter did not address injunctive relief in the context of statutory enforcement. Therefore, the appellate court concluded that although irreparable harm is required to obtain injunctive relief in an ordinary case, the district court did not error in granting injunctive relief, without the showing of irreparable harm, in conjunction with a statutory enforcement action.
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
In its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The proposed consent order requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the proposed consent order requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On June 6, the FTC announced that it submitted its 2018 Annual Financial Acts Enforcement Report to the CFPB. The report—which the Bureau requested for its use in preparing its 2018 Annual Report to Congress—covers the FTC’s enforcement activities regarding Regulation Z (the Truth in Lending Act or TILA), Regulation M (the Consumer Leasing Act or CLA), and Regulation E (the Electronic Fund Transfer Act or EFTA). Highlights of the enforcement matters covered in the report include:
- Auto Lending and Leasing. The report discusses two enforcement matters related to deceptive automobile dealer practices. The first, filed in August 2018, alleged that a group of four auto dealers, among other things, advertised misleading discounts and incentives in their vehicle advertisements, and falsely inflated consumers’ income and down payment information on financing applications. The charges brought against the defendants allege violations of the FTC Act, TILA, and the CLA. The FTC sought, among other remedies, a permanent injunction to prevent future violations, restitution, and disgorgement. (Detailed InfoBytes coverage of the filing is available here.) In the second, in December 2018, the FTC mailed over 43,000 checks, totaling over $3.5 million, to consumers allegedly harmed by nine dealerships and owners engaged in deceptive and unfair sales and financing practices, deceptive advertising, and deceptive online reviews. (Detailed InfoBytes coverage is available here.)
- Payday Lending. The report covers two enforcement matters, including the U.S. Court of Appeals for the 9th Circuit’s December 2018 decision upholding the $1.3 billion judgment against defendants responsible for operating an allegedly deceptive payday lending program. The decision is the result of a 2012 complaint in which the FTC alleged that the defendants engaged in deceptive acts or practices in violation of Section 5(a) of the FTC Act by making false and misleading representations about costs and payment of the loans. (Detailed InfoBytes coverage is available here.) The report also indicates that, in February 2018, the FTC issued over 72,000 checks totaling more an $2.9 million to consumers stemming from a July 2015 settlement, that alleged that online payday operators used personal financial information purchased from third-party lead generators or data brokers to make unauthorized deposits into and withdrawals from consumers’ bank accounts, regardless of whether the consumer applied for a payday loan. (Detailed InfoBytes coverage is available here.)
- Negative Option. The report covers six enforcement matters related to alleged violations of the EFTA and Regulation E for “negative option” plans, including three new filings against online marketers for allegedly advertising “free trial” offers for products that enrolled consumers in expensive, ongoing plans without their knowledge or consent. The report notes that, in 2018, the FTC reached a settlement with one entity and obtained a court judgment against another, both resulting in injunctive relief and monetary settlements (which were suspended due to the defendants’ inability to pay). The report also notes that the FTC mailed 2,116 refund checks totaling more than $355,000 to people who bought an allegedly deceptive “memory improvement” supplement.
Additionally, the report addresses the FTC’s research and policy efforts related to truth in lending and leasing, and electronic fund transfer issues, including (i) a study of consumers’ experiences in buying and financing automobiles at dealerships; and (ii) the FTC’s Military Task Force’s work on military consumer protection issues. The report also outlines the FTC’s consumer and business education efforts, which include several blog posts warning of new scams and practices.
On May 24, the FTC announced the launch of a dedicated fintech resource page hosted on the agency’s business center website. The fintech page contains the following materials: (i) guidance, including Safeguards Rule and Privacy Rule compliance information; (ii) videos that will be regularly rotated discussing topics such as artificial intelligence and blockchain; (iii) related posts containing relevant information on small business financing and recent fintech enforcement actions; and (iv) legal resources, including relevant cases and staff reports.
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference