InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles with software provider over data security failures
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
In its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The proposed consent order requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the proposed consent order requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
FTC shares 2018 enforcement report with the CFPB
On June 6, the FTC announced that it submitted its 2018 Annual Financial Acts Enforcement Report to the CFPB. The report—which the Bureau requested for its use in preparing its 2018 Annual Report to Congress—covers the FTC’s enforcement activities regarding Regulation Z (the Truth in Lending Act or TILA), Regulation M (the Consumer Leasing Act or CLA), and Regulation E (the Electronic Fund Transfer Act or EFTA). Highlights of the enforcement matters covered in the report include:
- Auto Lending and Leasing. The report discusses two enforcement matters related to deceptive automobile dealer practices. The first, filed in August 2018, alleged that a group of four auto dealers, among other things, advertised misleading discounts and incentives in their vehicle advertisements, and falsely inflated consumers’ income and down payment information on financing applications. The charges brought against the defendants allege violations of the FTC Act, TILA, and the CLA. The FTC sought, among other remedies, a permanent injunction to prevent future violations, restitution, and disgorgement. (Detailed InfoBytes coverage of the filing is available here.) In the second, in December 2018, the FTC mailed over 43,000 checks, totaling over $3.5 million, to consumers allegedly harmed by nine dealerships and owners engaged in deceptive and unfair sales and financing practices, deceptive advertising, and deceptive online reviews. (Detailed InfoBytes coverage is available here.)
- Payday Lending. The report covers two enforcement matters, including the U.S. Court of Appeals for the 9th Circuit’s December 2018 decision upholding the $1.3 billion judgment against defendants responsible for operating an allegedly deceptive payday lending program. The decision is the result of a 2012 complaint in which the FTC alleged that the defendants engaged in deceptive acts or practices in violation of Section 5(a) of the FTC Act by making false and misleading representations about costs and payment of the loans. (Detailed InfoBytes coverage is available here.) The report also indicates that, in February 2018, the FTC issued over 72,000 checks totaling more an $2.9 million to consumers stemming from a July 2015 settlement, that alleged that online payday operators used personal financial information purchased from third-party lead generators or data brokers to make unauthorized deposits into and withdrawals from consumers’ bank accounts, regardless of whether the consumer applied for a payday loan. (Detailed InfoBytes coverage is available here.)
- Negative Option. The report covers six enforcement matters related to alleged violations of the EFTA and Regulation E for “negative option” plans, including three new filings against online marketers for allegedly advertising “free trial” offers for products that enrolled consumers in expensive, ongoing plans without their knowledge or consent. The report notes that, in 2018, the FTC reached a settlement with one entity and obtained a court judgment against another, both resulting in injunctive relief and monetary settlements (which were suspended due to the defendants’ inability to pay). The report also notes that the FTC mailed 2,116 refund checks totaling more than $355,000 to people who bought an allegedly deceptive “memory improvement” supplement.
Additionally, the report addresses the FTC’s research and policy efforts related to truth in lending and leasing, and electronic fund transfer issues, including (i) a study of consumers’ experiences in buying and financing automobiles at dealerships; and (ii) the FTC’s Military Task Force’s work on military consumer protection issues. The report also outlines the FTC’s consumer and business education efforts, which include several blog posts warning of new scams and practices.
FTC introduces dedicated fintech webpage
On May 24, the FTC announced the launch of a dedicated fintech resource page hosted on the agency’s business center website. The fintech page contains the following materials: (i) guidance, including Safeguards Rule and Privacy Rule compliance information; (ii) videos that will be regularly rotated discussing topics such as artificial intelligence and blockchain; (iii) related posts containing relevant information on small business financing and recent fintech enforcement actions; and (iv) legal resources, including relevant cases and staff reports.
Payment processor settles FTC fraud allegations
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
FTC rescinds FCRA model forms and disclosures
On May 22, the FTC published a final rule in the Federal Register rescinding model forms and disclosures promulgated pursuant to the FCRA. The FTC has determined the model forms and disclosures are no longer necessary and the rescission would reduce confusion as the CFPB’s FCRA model forms and disclosures were updated in 2018. Specifically, the final rule rescinds: (i) Appendix A—Model Prescreen Opt-Out Notices; (ii) Appendix D—Standardized Form for Requesting Annual File Disclosures; (iii) Appendix E—Summary of Identity Theft Rights; (iv) Appendix F—General Summary of Consumer Rights; (v) Appendix G—Notice of Furnisher Responsibilities; and (vi) Appendix H—Notice of User Responsibilities. The final rule also makes conforming amendments to FTC rules that reference the applicable forms issued under the FCRA. The rule is effective May 22.
FTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned about the agency’s privacy and data security enforcement and regulatory activities, including whether they would support preemption of state privacy laws by a federal privacy statute. Using the California Consumer Privacy Act (covered by InfoBytes here) as an example, some Congressmen worried about the prospect of conflicting privacy legislation in other states, creating “confusion and uncertainty in the business community.”
Split along party lines, Democratic Commissioners expressed caution with federal preemption of state privacy laws; Commissioner Chopra, citing to federal preemption laws leading up to the mortgage crisis, warned of “unintended consequences.” Democratic Commissioner Slaughter recognized the “desire for uniformity, consistency, clarity, and predictability” that a federal law would provide, but noted that the appropriateness of preemption should be based on “whether a federal law meets or exceeds…the level of protections that states can provide and whether it allows them the opportunity to fill any gaps that may remain after a federal law is developed.” Republican Commissioners stressed the importance of having a federal law that would preempt the current “patchwork” of state laws, which Commissioner Phillips argued is “essential” in order to provide businesses clarity and reduced compliance costs, while also providing consumers with more power to understand expectations. FTC Chairman Simons noted that even if federal law preempts state privacy laws, Congress should grant concurrent enforcement authority to the states’ attorneys general.
The hearing also discussed, among other things, (i) the need for additional resources to increase agency staff focused on privacy issues; (ii) giving the FTC authority to levy civil money penalties, as Section 5 of the FTC act does not allow the Commission to seek civil penalties for first-time privacy violations; and (iii) the need for targeted rule-making authority.
FTC holds forum on marketplace lending to small businesses
On May 8, the FTC held a forum with members of the small business marketplace to discuss the recent uptick in online loans and alternative financing products, and to analyze the potential for unfair and deceptive marketing, sales, and collection practices in the industry. Opening “Strictly Business: An FTC Forum on Small Business Financing,” FTC Commissioner Rohit Chopra expressed broad concerns about the state of entrepreneurship in the U.S. and the barriers small businesses face when negotiating contracts. Three panels discussed topics including (i) recent trends in the financing marketplace and small business financing products; (ii) the impact of fintech in online lending; (iii) an examination of the risks and benefits of the merchant cash advance industry; and (iv) consumer protection risks and legislative, self-regulatory, and educational efforts to help better protect borrowers.
During the first panel, several industry members discussed the importance of credit and financing products in meeting the capital needs of small businesses who often experience challenges with funding operations and cash management. While traditional bank lending and Small Business Administration (SBA) loans often require lengthy, costly underwriting standards, several panelists noted that new marketplace financing options have created opportunities for small businesses that previously did not exist. Among other things, panelists emphasized that there is a big difference between consumer credit and business credit, and that online lenders are leveraging underlying business data, credit card receivables data, and fundamental underlying business transaction data to make sure small businesses can sustain and service their debt. Funding time is also critical to small businesses with many choosing online lenders for faster access to funds. The panel discussed the benefits of online financing products, such as moving away from including consumer credit scores in the underwriting process and examining nontraditional data to look at cash flow, but also cautioned that there can be a lack of transparency around terms and pricing.
The second panel discussed the merchant cash-advance (MCA) industry, which they described as providing an unregulated form of financing for small businesses in the form of factoring future receivables. Recently, the industry has been scrutinized for alleged collection abuses and use of confessions of judgment (COJs). COJs, which allow lenders to legally seize borrowers’ bank accounts and other assets without a judge’s review, have led to a flood of questionable legal actions against small businesses, according to Commissioner Chopra. However, one of the panelists noted that the FTC limited the ban on COJs to consumers.
The third panel discussed consumer protection risks as well as products and information available for small business borrowers. A key concern amongst several of the panelists was whether business borrowers are sophisticated enough to understand the various options and if they are able to receive the necessary information to shop between products, such as APRs, total costs, and average monthly payments. The panel also discussed federal and state law, as well as self-regulatory efforts, that offer protections for small business borrowers. All agreed that there has been significant action taken at the state level to try to standardize and harmonize these types of lending practices, and while there was support for a national standard, they cautioned that a weaker national standard should not preempt a stronger state standard. Transparent disclosure standards, consumer protection oriented issues such as privacy and data security, as well as deceptive practices, were also discussed, with panelists agreeing that outreach and consumer education is vital in helping consumers make informed decisions.
Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, closed the forum by emphasizing that the FTC has broad authority under the FTC Act to tackle unfair and deceptive practices, and stating that the Commission is very concerned about reports of unfair and deceptive marketing, sales, and collection practices in the small-business finance market. He stressed that while financial technologies can evolve quickly, the underlying legal protections for small businesses remain the same.
FTC confirms continuing need for Holder Rule
On May 2, the FTC announced it completed its review of the Holder Rule (the Rule)—formally called the “Trade Regulation Rule Concerning Preservation of Consumers’ Claims and Defenses”—which is applicable when consumers purchase personal goods or services with money loaned by a merchant or a lender that works with a merchant. The Rule, aimed at preventing businesses from using financing mechanisms to collect debts from consumers in situations where the merchant failed to deliver the goods or services or engaged in fraud or other misconduct, preserves consumers’ right to assert the same legal claims and defenses against anyone who purchases the credit contract as they would have against the seller who originally provided the credit. In 2015, as part of a systematic review of all its rules and guides, the FTC sought public comment on the Rule and received 19 comments in response. All comments urged retaining the Rule, and after review, the Commission determined there was a continuing need for the Rule and the record did not warrant a rulemaking to modify the Rule. As reflected in the notice published in the Federal Register, the FTC’s action confirming the Rule took effect May 2 and is applicable as of April 23.
Websites settle FTC data security allegations
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.
FTC obtains $2.7 million judgment against “free samples” operation; settles deceptive marketing matter
On April 11, the FTC announced that the U.S. District Court for the Northern District of Illinois ordered a New York-based office supply operation to pay $2.7 million to resolve allegations that the defendants targeted consumers, such as small businesses, hotels, municipalities, and charitable organizations, by deceptively misrepresenting the terms of their “free samples.” Specifically, the FTC alleged in 2017 that the defendants violated the Telemarketing and Consumer Fraud and Abuse Prevention Act (Telemarketing Act) and the Unordered Merchandise Statute by calling consumers with offers of free product and then billing the consumers after shipping the samples. In some instances, the FTC stated, consumers refused the offer of the free product, but the defendants sent it anyway. Once the samples were shipped, the FTC claimed the defendants sent follow-up invoices demanding payment for the product, and would then send dunning notices and place collection calls. Under the terms of the order, the defendants are permanently banned from advertising, marketing, promoting, offering for sale, or selling any type of unordered merchandise, or from misrepresenting material facts, and are required to pay $2.7 million to be refunded to affected consumers.
Separately, on April 10, the FTC announced proposed settlements (see here and here) issued against twelve corporate and four individual defendants for allegedly claiming their “cognitive improvement” supplements increase brain power and performance. According to the complaint, the defendants’ deceptive acts and practices included using “sham news” websites to market false and misleading efficacy claims, such as fraudulent celebrity endorsements and fictitious clinical studies. Furthermore, the FTC alleged that, while the defendants claimed to offer a “100% Money Back Guarantee” on their supplements, consumers found it difficult or nearly impossible to get a refund, and that some consumers were allegedly charged for supplements they ordered but never received. The proposed settlements, among other things, prohibits the specified behavior and impose monetary judgments of $14,564,891 and $11,587,117, both of which will be partially suspended due to the defendants’ inability to pay.