Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 7, the FTC announced two new cases (and simultaneous settlements), one against a debt collector and the other against an auto dealer, alleging privacy and data violations based on the use of peer-to-peer file sharing software. In both cases, the FTC claims that the firms allowed file-sharing software to be installed on company computers, thereby allowing files containing personal customer information to be accessed by any other person using a networked computer. Both companies, according to the FTC, (i) did not have adequate security plans, (ii) did not use reasonable measures to enforce compliance with existing security policies, (iii) did not adequately train employees, (iv) did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks, and (v) failed to assess risk to consumers. For the debt collector, the FTC alleges that the failures constituted an unfair act or practice in violation of the FTC Act. The FTC claims that the auto dealer also violated the FTC Act and, for the first time, charges an auto dealer with violations of certain Gramm-Leach-Bliley (GLB) Act rules. The settlement orders with both companies bar misrepresentations regarding the privacy, security, confidentiality, and integrity of any personal information and require that the firms establish comprehensive information security programs that will be audited every other year for 20 years. The auto dealer also is barred from violating the GLB rules at issue.
D.C. Federal Court Holds FCRA Credit Report Notice Requirements Apply to Auto Dealers Engaging in Third Party Financing Transactions
On May 10, Deputy U.S. Attorney General Sally Yates spoke at the New York City Bar Association’s White Collar Crime Conference and expanded on the DOJ’s Individual Accountability Policy, which informally bears Yates’ name (the Yates Memo). The DOJ issued the Yates Memo in September 2015, and Yates’ remarks were focused on why DOJ issued the policy and how it has been working in practice. Yates made clear that “holding individuals accountable for corporate wrongdoing has always been a priority for” DOJ, but that the policy memorandum was necessary to overcome “real world challenges” that DOJ encounters (e.g., convoluted corporate structures and lines of authority, data privacy laws, and inability to compel foreign witness testimony) so that it can hold individuals responsible for corporate wrongdoing.
In practice, Yates said that the policy has not caused the parade of horrors that defense attorneys and client alerts have predicted. For example, she stated that she was not aware of any company refusing to cooperate with DOJ as a result of the policy. She further added that “no one has told us that they will be forced to waive privilege in order to comply with the policy.” Instead, she said that the policy already has caused a shift toward higher compliance standards within companies.
Yates also highlighted how DOJ attorneys are focused on individuals from the outset of an investigation: “The first thing the lawyers briefing me discuss is what we are doing to identify the individuals involved and what the company is doing during the course of its cooperation to meet its obligation to provide all the facts about individual conduct.” In addition civil enforcement efforts have broadened to focusing on individuals. According to Yates, “[a]bility to pay is one of the factors considered, but it’s no longer the determinative factor in deciding whether to bring an action in the first instance.
On May 8, the FTC announced that it had joined the CFPB and the DOJ to file a brief supporting the constitutionality of the Fair Credit Reporting Act (FCRA). The brief was filed in a lawsuit in the U.S. District Court for the Eastern District of Pennsylvania in which a consumer alleged that a consumer reporting agency (CRA) violated FCRA by reporting on arrest records that were more than seven years’ old. Responding to these allegations, the CRA argued that the Supreme Court’s decision in Sorell v. IMS Health, Inc., 131 S. Ct. 2653 (2011), rendered FCRA’s seven-year limitation unconstitutional under the First Amendment. The federal entities’ brief counters that Sorell does not alter the test for commercial speech restrictions established in Central Hudson Gas and Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980). It goes on to argue that, under this test, the government has a substantial interest in protecting individuals’ privacy and that FCRA protects this interest while accommodating businesses’ competing interest in obtaining complete information about potential borrowers.
On February 10, 2016, Dutch oilfield company SBM Offshore announced that the U.S. DOJ has now re-opened its investigation into allegations that SBM paid bribes to secure contracts in various countries around the world. SBM stated that the DOJ has made “information requests” in connection with the bribery investigation and that SBM is “seeking further clarification about the scope of the inquiry.”
SBM previously had reached a $240 million settlement with Dutch authorities in November 2014 to resolve allegations involving bribes to government officials in Angola, Brazil, and Equatorial Guinea between 2007 and 2011. At the time, SBM announced that the DOJ had simultaneously closed its investigation into the same matter. Its most recent announcement, however, shows that the U.S. government has rekindled its inquiry.
SBM also announced that it has reserved $245 million to cover a possible settlement with Brazilian authorities. This announcement comes on the heels of a January 2016 settlement between the Ministerio Publico Federal (MPF), Brazil’s Public Prosecutor’s Office, and SBM’s CEO and a member of SBM’s supervisory board apparently tied to the ongoing Petrobras scandal in Brazil.
Click here to view previous FCPA Scorecard coverage of the SBM investigation.
On January 22, 2016, the Ministerio Publico Federal (MPF), Brazil’s Public Prosecutor’s Office, reportedly entered into a settlement with Dutch drilling company SBM Offshore’s CEO and a member of its supervisory board, resolving misdemeanor allegations apparently tied to the ongoing Petrobras probe in Brazil. If the settlement is approved by the Brazilian judge handling the case, both individuals will be fined approximately $60,000 each, with no admission of guilt.
SBM Offshore stated in response that while it “believes that accepting the settlement offers a pragmatic opportunity to expeditiously resolve this matter that avoids long and costly legal proceedings,” it remains of the opinion that the accusations are without merit and that it stands behind both individuals. While SBM Offshore declined to comment on the specific accusations of misconduct in this case, the settlement comes a little over a year after SBM Offshore resolved an enforcement action in the Netherlands involving alleged bribes in Angola, Brazil, and Equatorial Guinea between 2007 and 2011.
Click here to view previous FCPA Scorecard coverage of SBM Offshore and Brazil’s Petrobras investigation.
On April 4, the FTC released complaints filed recently against two operations allegedly engaged in deceptive auto loan modification schemes. According to the FTC, the two companies and several related individuals instructed consumers to stop paying their auto loans and promised to lower their monthly payments in exchange for up-front payment of fees, but then did not provide promised refunds when they failed to obtain car loan modifications. The FTC complaints detail the companies’ Internet and other marketing efforts and alleged false promises of lower monthly payments and money-back guarantees. These are the first auto loan modification cases filed by the FTC, which has been actively pursuing allegations of similar mortgage loan modification schemes. Concurrent with these announced cases, the FTC released an alert for consumers seeking assistance in managing their auto loans. The FTC also recently closed out a year of seeking public input on consumer protection issues that arise in auto sales, financing, and leasing.
On April 2, the FTC announced that it filed a complaint in the United States District Court for the District of Nevada against a payday lending operation that allegedly charged undisclosed and inflated fees, and collected on loans illegally by threatening borrowers with arrest and lawsuits. The FTC alleges that the operation, consisting of numerous defendants including three Internet-based lending companies, seven related companies and numerous individuals (i) violated the FTC Act by making misrepresentations and false threats, (ii) violated TILA by failing to accurately disclose APR and other loan terms, and (iii) violated the Electronic Fund Transfer Act by requiring consumers to preauthorize electronic fund transfers from their accounts. According to the FTC, the defendants have claimed in state court that they are immune from legal action because of their affiliation with Native American tribes. The FTC argues that notwithstanding any such affiliation, the defendants are still subject to federal law. This is the second time in seven months that the FTC has brought suit against a payday lender that has used a tribal affiliation defense against actions by state authorities.
On May 20, BHP Billiton, an Australian-based metal resources company, paid $25 million to settle claims brought by the SEC alleging that the company violated the FCPA’s internal controls and books and records provisions by sponsoring the attendance of foreign government officials at the 2008 Beijing Olympics. According to the SEC’s cease-and-desist order, in which the company neither admitted nor denied the SEC’s findings, BHP Billiton invited 176 government officials to attend the Olympics at BHP Billiton’s expense, 98 of whom were representatives of state-owned enterprises that were BHP Billiton customers. The flight and hospitality packages the officials received were worth between $12,000 and $16,000 per package.
Of note, the SEC did not allege any specific quid pro quo in exchange for the trips (and did not allege that BHP Billiton violated the anti-bribery provisions of the FCPA), but noted that the foreign officials came from African and Asian countries with well-known histories of corruption and were in a position to influence pending contract negotiations, efforts to obtain access right, and other regulatory and business dealings affecting BHP Billiton. The SEC settlement order found that BHP Billiton’s Olympic hospitality applications did not accurately reflect pending negotiations or business dealings between BHP Billiton and government officials invited to the Olympics, and also found that the company failed “to design and maintain sufficient internal controls over the Olympic global hospitality program.”
Continuing recent efforts to highlight the nature of certain companies’ cooperation efforts, the SEC called out BHP Billiton’s “significant cooperation” with the government’s investigation by, among other things, “voluntarily producing large volumes of business, financial, and accounting documents from around the world in response to the staff’s requests, and by voluntarily producing translations of key documents.” The SEC also noted the remedial efforts undertaken by the company to improve its compliance programs, including the creation of a compliance group within its legal department that reports directly to BHP Billiton’s general counsel and audit committee. According to the order, BHP Billiton also enhanced its financial and auditing controls, including its policies for conducting business in high-risk markets, and conducted extensive employee training on anti-corruption issues. The settlement requires the company to report to the SEC on the operation of its FCPA and anti-corruption compliance program for a one-year period, although no independent monitor was required.
On March 26, the FTC released an anticipated report on consumer privacy, calling on all companies to adopt certain practices to protect consumers’ private information. The final report outlines three basic principles: (i) “privacy by design”, (ii) simplified choice, and (iii) increased transparency. Though the report and recommended practices do not carry the force of law, the FTC encourages adoption of the recommendations to support innovation and commerce while improving consumer protection. The report also serves as a blueprint for what the FTC is seeking in federal privacy legislation. Pending congressional action, the FTC will continue to employ its existing enforcement authority to address unfair or deceptive practices, including practices that violate self-regulatory programs. Further, the FTC intends to support implementation of the framework by focusing on several substantive topics and stakeholder groups, including (i) do not track, (ii) mobile services, (iii) data brokers, (iv) large platform providers, and (v) industry codes of conduct. For example, the FTC will focus on mobile services by updating guidance about online advertising disclosures, including holding a workshop on model mobile disclosures on May 30, 2012. It also calls on mobile service providers to establish industry standards that address data collection, transfer, use, and disposal, particularly for location data.
On March 20, the CFPB submitted to Congress its first annual report on the administration and enforcement of the Fair Debt Collections Practices Act (FDCPA). The CFPB inherited the annual reporting function as part of the Dodd-Frank Act’s transfer to the CFPB of the primary regulatory responsibility for the FDCPA. Prior to this report, the FTC prepared the annual report, and this year it submitted a letter to the CFPB detailing its efforts under the FDCPA. The report, as informed by the FTC letter, provides (i) a brief background on the FDCPA, (ii) a summary of consumer complaints about the debt collection industry, (iii) a description of the CFPB’s FDCPA supervision authority, including its rulemaking to expand that authority by defining “larger participant” nonbanks, (iv) an outline of recent FTC and CFPB enforcement activity and amicus briefs filed against entities engaged in debt collection, including ongoing non-public investigations of debt collection practices, and (v) each regulator’s FDCPA-related research and policy initiatives.
- Daniel P. Stipano to discuss "BSA/AML culture of compliance roundtable" at the FiSCA Annual Conference
- Daniel P. Stipano to discuss "Is there a better way to fight money laundering" at the FiSCA Annual Conference
- Michelle L. Rogers to discuss "What's trending in enforcement" at the Mortgage Bankers Association Annual Convention & Expo
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Buckley Webcast: Smoke and mirrors: Navigating the regulatory landscape in banking the marijuana industry
- H Joshua Kotin to discuss "CMS - Components of a successful monitoring program" at the RegList Annual Workshop
- Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Sherry-Maria Safchuk to discuss "Cybersecurity" at the RegList Annual Workshop
- Jeffrey P. Naimon to discuss "Hot topics in mortgage origination" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Sherry-Maria Safchuk to discuss "CCPA: Countdown to compliance – A discussion of common questions and what is next on the CA privacy horizon" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "Adapting to the rapidly changing compliance landscape involving marijuana and marijuana-related businesses" at an ACAMS webinar
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference