Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.
Court grants summary judgment in favor of FTC and Florida State Attorney General in debt relief scam case
On December 10, the U.S. District Court for the Middle District of Florida granted the FTC and the Florida Attorney General’s motion for summary judgment against an individual accused of participating in a scheme that allegedly targeted financially distressed consumers through illegal robocalls selling bogus credit card debt relief services and interest rate reductions. According to a 2016 complaint, several interrelated companies and the founder of such companies (defendants), among other things, allegedly violated the FTC Act, the Telemarketing Sales Rule, and the Florida Deceptive and Unfair Trade Practices Act by (i) claiming to be “licensed enrollment center[s]” for major credit card networks with the ability to work with a consumer’s credit card company or bank to substantially and permanently lower credit card interest rates; (ii) charging up-front payments for debt relief and rate-reduction services; and (iii) pitching credit card debt-elimination services, claiming the defendants could access money from a government fund to pay off consumers’ credit card debt in 18 months, when in actuality, no such government fund existed. In some cases, the defendants instructed consumers to stop paying their credit-card bills, resulting in “significant harm in the form of reduced creditworthiness, higher interest rates on their existing credit-card debt, and higher overall credit-card debt due to the accrual of late fees and interest charges.”
The court entered a permanent injunction ordering the defendant founder of the companies involved to pay over $23 million in equitable monetary relief. The order also permanently restrains and enjoins such defendant from, among other things, participating—whether directly or indirectly—in (i) telemarketing; (ii) advertising, marketing, selling, or promoting any debt relief products or services; or (iii) misrepresenting material facts.
On December 11, the FTC entered into a proposed settlement with an Arizona-based company and its officer (defendants) relating to an allegedly deceptive credit card telemarketing operation. As previously covered by InfoBytes, the FTC alleged that the defendants—as part of a larger group of 12 defendants comprised of an independent sales organization, sales agents, payment processors, and identified principals—violated the FTC Act and the Telemarketing Sales Rule by assisting a telemarketing company in masking its identity by processing the company’s credit card payments and laundering credit card transactions on behalf of multiple fictitious companies. The proposed settlement, among other things, prohibits the defendants from engaging in credit card laundering and bans them from telemarketing, processing payments, or acting as an independent sales organization or sales agent. The order also stipulates a judgment of $5.7 million, which will be suspended unless it is determined that the financial statements submitted by the defendants contain any inaccuracies.
In March 2018, the FTC reached settlements with two of the other defendants (see InfoBytes coverage here). Litigation continues against the remaining defendants.
On December 7, as part of Operation Game of Loans—a coordinated effort between the FTC and state law enforcement—the FTC announced settlements with operators of two student loan debt relief operations to resolve allegations that the defendants violated the FTC Act and the Telemarketing Sales Rule by, among others (i) charging consumers who purchased the debt relief services illegal upfront fees; and (ii) falsely promising to assist consumers in enrolling in government programs that would reduce or forgive their student loan debt.
Under the terms of the settlement, the defendants are permanently banned from advertising, marketing, promoting, offering for sale, or selling any type of debt relief product or service—or from assisting others in doing the same. Combined, the settlements total more than $36 million, though judgments have been partially suspended due to the defendants’ inability to pay.
On December 4, the FTC released a request for public comment on whether the agency should make changes to its identity theft detection rules—the Red Flags Rule and the Card Issuers Rule—which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. The FTC is seeking comment as part of its systematic review of all of its regulations and guides. According to the FTC, consumer complaints relating to identity theft represented the third largest category of consumer complaints made to the FTC through the first three quarters of 2018 and the second largest category in 2017. The FTC is seeking comment on all aspects of the two rules, but also poses specific questions for commenters to address, such as (i) whether there is a continuing need for the specific provisions of the rules; (ii) what significant costs have the rules imposed on consumers and businesses; and (iii) whether there are any types of creditors that are not currently covered by the Red Flags Rule but should be covered. The request for comment is due to be published in the Federal Register shortly, and comments must be received by February 11, 2019.
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
FTC settles with one student loan debt relief operation; seeks separate permanent injunction against another
On November 20, the FTC announced a settlement with operators of a student loan debt relief operation to resolve allegations that the defendants defrauded consumers through programs offering mortgage assistance and student debt relief. Regarding the student debt operations, the FTC alleged that the defendants falsely offered student borrowers reduced monthly payments or loan forgiveness by falsely claiming to be affiliated with the Department of Education. In a 2017 complaint, the FTC alleged that the defendants also falsely promised foreclosure prevention and mortgage relief to distressed homeowners, but instead collected advance fees in violation of the Telemarketing Sales Rule (TSR) and the Mortgage Assistance Relief Services Rule. Among other things, the settlement includes a judgment of more than $9 million—which will be partially suspended once the defendants turn over all assets worth approximately $305,000 because of their inability to pay—and bans the defendants from participating in debt relief and telemarketing activities in the future.
The same day, the FTC also announced it was charging a separate student loan debt relief operation with violations of the FTC Act and the TSR for allegedly engaging in deceptive practices when marketing and selling their debt relief services. According to the complaint, the operators of the scheme—which include a recidivist scammer previously banned from participating in debt relief activities—allegedly “promoted a 96 percent success rate in reducing consumers’ student loan payments.” However, the FTC stated that consumers who purchased the debt relief services and often paid illegal upfront fees “often did not receive any debt relief and lost hundreds of dollars.” On November 13, the U.S. District Court for the Central District of California issued a temporary restraining order and asset freeze at the FTC’s request. The FTC seeks a permanent injunction against the defendants to prevent future violations, as well as redress for injured consumers through “rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
On November 13, the FTC submitted comments in response to the Department of Commerce’s National Telecommunications and Information Administration (NTIA) request for input on developing the Administration’s approach to consumer data privacy protections. In its comment letter, the FTC noted that it supported a balanced approach to privacy, weighing the risks of data misuse with the benefits of data to innovation and competition, and reiterated its support for data privacy legislation. Specifically, the FTC renewed its call for Congressional action that clarifies the FTC’s authority and the rules relating to data security and breach notification. According to the FTC, any such legislation should balance “consumers’ legitimate concerns about the protections afforded to the collection, use, and sharing of their data with business’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”
The FTC emphasized it is “uniquely situated” to balance consumers’ interest in privacy, innovation, and competition and argued it should continue to be the primary enforcer of the laws related to “information flows in the marketplace,” whether it’s under the existing or new privacy framework. The FTC noted, however, that the existing framework places a number of limitations on its powers, including (i) its lack of authority over non-profits and common carriers; (ii) its inability to levy civil money penalties; and (iii) its lack of broad rulemaking authority under the APA for consumer protection issues such as privacy and data security.
On November 7, the SEC announced a settlement with a financial services firm to resolve allegations that the firm mishandled the pre-release of American Depositary Receipts (ADRs)—U.S. securities that represent shares in foreign companies. The SEC noted in its press release that ADRs can be pre-released without the deposit of foreign shares only if: (i) the brokers receiving the ADRs have an agreement with a depository bank; and (ii) the broker or the broker's customer owns the number of foreign shares that corresponds to the number of shares the ADR represents. The SEC alleged that the firm improperly provided thousands of ADRs where neither the broker nor its customers possessed the required shares. According to the SEC’s order, the firm’s alleged practice of allowing pre-released ADRs, that were in many instances not backed by ordinary shares, violated the Securities Act of 1933. The firm has neither admitted nor denied the SEC’s allegations, but has agreed to pay more than $25.1 million in disgorgement and prejudgment interest, along with a $13.5 million penalty. The SEC’s order further acknowledges the firm’s cooperation in the investigation.
Money services business agrees to extend DOJ deferred prosecution agreement; settles FTC order breach
On November 8, the DOJ announced that a money services business has agreed to forfeit $125 million and extend its deferred prosecution agreement (DPA) due to deficiencies in its anti-fraud and anti-money laundering (AML) programs. The global settlement also resolves contempt allegations brought by the FTC related to the violation of a 2009 FTC order, which mandated that the company implement a comprehensive fraud prevention program.
The DOJ filed charges against the company in 2012 for allegedly “willfully failing to maintain an effective AML program and aiding and abetting wire fraud,” including scams targeting the elderly and other vulnerable groups that involved victims sending funds through the company’s money transfer system. In connection with the DOJ’s and company’s joint motion to extend and amend the DPA, the DOJ announced that the company: (i) experienced significant weaknesses in its AML and anti-fraud program; (ii) inadequately disclosed these weaknesses to the government; and (iii) failed to complete all of the DPA’s required enhanced compliance undertakings, resulting in the processing of at least $125 million additional consumer fraud transactions between April 2015 and October 2016. Under the amendment to and extension of the DPA—in effect until May 2021—the company has agreed to, among other things, comply with additional enhanced anti-fraud and AML compliance obligations.
In a related matter, the FTC filed a motion for compensatory relief and modified order for permanent injunction, which alleges that the company failed to adopt and implement a comprehensive fraud prevention program mandated by the 2009 order. The motion indicates that the company has agreed to the entry of an order modifying the 2009 Order to include a broader range of relief, including a requirement to interdict (or block) the transfers of known fraudsters and provide refunds for non-compliance with certain policies or procedures.
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference