Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
On May 22, the FTC published a final rule in the Federal Register rescinding model forms and disclosures promulgated pursuant to the FCRA. The FTC has determined the model forms and disclosures are no longer necessary and the rescission would reduce confusion as the CFPB’s FCRA model forms and disclosures were updated in 2018. Specifically, the final rule rescinds: (i) Appendix A—Model Prescreen Opt-Out Notices; (ii) Appendix D—Standardized Form for Requesting Annual File Disclosures; (iii) Appendix E—Summary of Identity Theft Rights; (iv) Appendix F—General Summary of Consumer Rights; (v) Appendix G—Notice of Furnisher Responsibilities; and (vi) Appendix H—Notice of User Responsibilities. The final rule also makes conforming amendments to FTC rules that reference the applicable forms issued under the FCRA. The rule is effective May 22.
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned about the agency’s privacy and data security enforcement and regulatory activities, including whether they would support preemption of state privacy laws by a federal privacy statute. Using the California Consumer Privacy Act (covered by InfoBytes here) as an example, some Congressmen worried about the prospect of conflicting privacy legislation in other states, creating “confusion and uncertainty in the business community.”
Split along party lines, Democratic Commissioners expressed caution with federal preemption of state privacy laws; Commissioner Chopra, citing to federal preemption laws leading up to the mortgage crisis, warned of “unintended consequences.” Democratic Commissioner Slaughter recognized the “desire for uniformity, consistency, clarity, and predictability” that a federal law would provide, but noted that the appropriateness of preemption should be based on “whether a federal law meets or exceeds…the level of protections that states can provide and whether it allows them the opportunity to fill any gaps that may remain after a federal law is developed.” Republican Commissioners stressed the importance of having a federal law that would preempt the current “patchwork” of state laws, which Commissioner Phillips argued is “essential” in order to provide businesses clarity and reduced compliance costs, while also providing consumers with more power to understand expectations. FTC Chairman Simons noted that even if federal law preempts state privacy laws, Congress should grant concurrent enforcement authority to the states’ attorneys general.
The hearing also discussed, among other things, (i) the need for additional resources to increase agency staff focused on privacy issues; (ii) giving the FTC authority to levy civil money penalties, as Section 5 of the FTC act does not allow the Commission to seek civil penalties for first-time privacy violations; and (iii) the need for targeted rule-making authority.
On May 8, the FTC held a forum with members of the small business marketplace to discuss the recent uptick in online loans and alternative financing products, and to analyze the potential for unfair and deceptive marketing, sales, and collection practices in the industry. Opening “Strictly Business: An FTC Forum on Small Business Financing,” FTC Commissioner Rohit Chopra expressed broad concerns about the state of entrepreneurship in the U.S. and the barriers small businesses face when negotiating contracts. Three panels discussed topics including (i) recent trends in the financing marketplace and small business financing products; (ii) the impact of fintech in online lending; (iii) an examination of the risks and benefits of the merchant cash advance industry; and (iv) consumer protection risks and legislative, self-regulatory, and educational efforts to help better protect borrowers.
During the first panel, several industry members discussed the importance of credit and financing products in meeting the capital needs of small businesses who often experience challenges with funding operations and cash management. While traditional bank lending and Small Business Administration (SBA) loans often require lengthy, costly underwriting standards, several panelists noted that new marketplace financing options have created opportunities for small businesses that previously did not exist. Among other things, panelists emphasized that there is a big difference between consumer credit and business credit, and that online lenders are leveraging underlying business data, credit card receivables data, and fundamental underlying business transaction data to make sure small businesses can sustain and service their debt. Funding time is also critical to small businesses with many choosing online lenders for faster access to funds. The panel discussed the benefits of online financing products, such as moving away from including consumer credit scores in the underwriting process and examining nontraditional data to look at cash flow, but also cautioned that there can be a lack of transparency around terms and pricing.
The second panel discussed the merchant cash-advance (MCA) industry, which they described as providing an unregulated form of financing for small businesses in the form of factoring future receivables. Recently, the industry has been scrutinized for alleged collection abuses and use of confessions of judgment (COJs). COJs, which allow lenders to legally seize borrowers’ bank accounts and other assets without a judge’s review, have led to a flood of questionable legal actions against small businesses, according to Commissioner Chopra. However, one of the panelists noted that the FTC limited the ban on COJs to consumers.
The third panel discussed consumer protection risks as well as products and information available for small business borrowers. A key concern amongst several of the panelists was whether business borrowers are sophisticated enough to understand the various options and if they are able to receive the necessary information to shop between products, such as APRs, total costs, and average monthly payments. The panel also discussed federal and state law, as well as self-regulatory efforts, that offer protections for small business borrowers. All agreed that there has been significant action taken at the state level to try to standardize and harmonize these types of lending practices, and while there was support for a national standard, they cautioned that a weaker national standard should not preempt a stronger state standard. Transparent disclosure standards, consumer protection oriented issues such as privacy and data security, as well as deceptive practices, were also discussed, with panelists agreeing that outreach and consumer education is vital in helping consumers make informed decisions.
Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, closed the forum by emphasizing that the FTC has broad authority under the FTC Act to tackle unfair and deceptive practices, and stating that the Commission is very concerned about reports of unfair and deceptive marketing, sales, and collection practices in the small-business finance market. He stressed that while financial technologies can evolve quickly, the underlying legal protections for small businesses remain the same.
On May 2, the FTC announced it completed its review of the Holder Rule (the Rule)—formally called the “Trade Regulation Rule Concerning Preservation of Consumers’ Claims and Defenses”—which is applicable when consumers purchase personal goods or services with money loaned by a merchant or a lender that works with a merchant. The Rule, aimed at preventing businesses from using financing mechanisms to collect debts from consumers in situations where the merchant failed to deliver the goods or services or engaged in fraud or other misconduct, preserves consumers’ right to assert the same legal claims and defenses against anyone who purchases the credit contract as they would have against the seller who originally provided the credit. In 2015, as part of a systematic review of all its rules and guides, the FTC sought public comment on the Rule and received 19 comments in response. All comments urged retaining the Rule, and after review, the Commission determined there was a continuing need for the Rule and the record did not warrant a rulemaking to modify the Rule. As reflected in the notice published in the Federal Register, the FTC’s action confirming the Rule took effect May 2 and is applicable as of April 23.
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.
FTC obtains $2.7 million judgment against “free samples” operation; settles deceptive marketing matter
On April 11, the FTC announced that the U.S. District Court for the Northern District of Illinois ordered a New York-based office supply operation to pay $2.7 million to resolve allegations that the defendants targeted consumers, such as small businesses, hotels, municipalities, and charitable organizations, by deceptively misrepresenting the terms of their “free samples.” Specifically, the FTC alleged in 2017 that the defendants violated the Telemarketing and Consumer Fraud and Abuse Prevention Act (Telemarketing Act) and the Unordered Merchandise Statute by calling consumers with offers of free product and then billing the consumers after shipping the samples. In some instances, the FTC stated, consumers refused the offer of the free product, but the defendants sent it anyway. Once the samples were shipped, the FTC claimed the defendants sent follow-up invoices demanding payment for the product, and would then send dunning notices and place collection calls. Under the terms of the order, the defendants are permanently banned from advertising, marketing, promoting, offering for sale, or selling any type of unordered merchandise, or from misrepresenting material facts, and are required to pay $2.7 million to be refunded to affected consumers.
Separately, on April 10, the FTC announced proposed settlements (see here and here) issued against twelve corporate and four individual defendants for allegedly claiming their “cognitive improvement” supplements increase brain power and performance. According to the complaint, the defendants’ deceptive acts and practices included using “sham news” websites to market false and misleading efficacy claims, such as fraudulent celebrity endorsements and fictitious clinical studies. Furthermore, the FTC alleged that, while the defendants claimed to offer a “100% Money Back Guarantee” on their supplements, consumers found it difficult or nearly impossible to get a refund, and that some consumers were allegedly charged for supplements they ordered but never received. The proposed settlements, among other things, prohibits the specified behavior and impose monetary judgments of $14,564,891 and $11,587,117, both of which will be partially suspended due to the defendants’ inability to pay.
On April 11, the FTC announced that a payment processing company and its owner agreed to a $1.8 million settlement resolving allegations that the company repeatedly violated a 2009 court order. That order found that the payment processer knowingly or consciously avoided knowing that debit card transactions it processed, on behalf of an allegedly fraudulent enterprise, were not authorized by the consumers. The FTC alleged that the company violated the 2009 order by, among other things, (i) failing to engage in a reasonable investigation of prospective clients before processing payments on their behalf; (ii) failing to monitor clients’ transactions to ensure that clients were not engaged in illegal behavior; and (iii) failing to adhere to administrative requirements of the order, including submitting a written compliance report to the agency. In addition to the monetary penalty, the new settlement permanently bans the company from working as a payment processor and subjects the company to reporting and recordkeeping requirements.
On April 3, the FTC announced that the U.S. District Court for the District of Nevada ordered a publisher and conference organizer and his three companies (defendants) to pay more than $50.1 million to resolve allegations that the defendants made deceptive claims about the nature of their scientific conferences and online journals, and failed to adequately disclose publication fees in violation of the FTC Act. Among other things, the FTC alleged, and the court agreed, that the defendants misrepresented that their online academic journals underwent rigorous peer reviews but defendants did not conduct or follow the scholarly journal industry’s standard review practices and often provided no edits to submitted materials. The court determined that the defendants also failed to disclose material fees for publishing authors work when soliciting authors and often did not disclose fees until the work had been accepted for publication. The court also found that the defendants falsely advertised the attendance and participation of various prominent academics and researchers at conferences without their permission or actual affiliation.
In addition to the monetary judgment, the final order grants injunctive relief and (i) prohibits the defendants from making misrepresentations regarding their publications and conferences; (ii) requires that the defendants clearly and conspicuously disclose all costs associated with publication in their journals; and (iii) requires the defendants to obtain express written consent from any individual the defendants represent as affiliated with their products or services.
On the same day, the FTC also announced a settlement with a subscription box snack service to resolve allegations that the company violated the FTC Act by misrepresenting customer reviews as independent and failing to adequately disclose key terms of its “free trial” programs. Specifically, the FTC alleged that the company provided customers with free products and other incentives in exchange for posting positive online reviews and misrepresented that independent customers made the reviews or posts. The company also allegedly offered “free trial” snack boxes without adequately disclosing key terms of the offer, including the stipulation that if the trial was not canceled on time, the customer would be automatically enrolled as a subscriber and charged the “total amount owed for six months of snack box shipments.” The proposed order, among other things, prohibits the specified behavior and requires the company to pay $100,000 in consumer redress.
On April 2, the FTC announced that it joined the Food and Drug Administration (FDA) in sending letters to three supplement companies warning them that making allegedly unsupported health and efficacy claims in their advertising may violate the FTC Act. According to the letters (available here, here, and here), the three companies advertise supplements they say contain cannabidiol (commonly known as CBD), and, allegedly, among other things, effectively treat diseases such as cancer, Alzheimer’s disease, fibromyalgia, and neuropsychiatric disorders. The letters emphasize that it is unlawful under the FTC Act “to advertise that a product can prevent, treat, or cure human disease unless you possess competent and reliable scientific evidence, including, when appropriate, well-controlled human clinical studies, substantiating that the claims are true at the time they are made.” The letters also note that the products constitute “new drugs” and cannot be introduced or delivered into interstate commerce without prior FDA approval. The letters appear related to the FTC’s initiative to target advertisers who make deceptive claims about their products. As previously covered by InfoBytes, FTC Chairman, Joseph Simons, spoke about this initiative at a recent conference, and cited several of the agency’s enforcement actions, including challenges to dietary supplement health benefit claims and deceptive environmental claims. Additionally, he stated the agency is prepared to “proceed in federal court as warranted.”
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference